stackoom
  简体   繁体   中英

How to fix CWE 73 External Control of File Name or Path

 原文  2019-08-12 11:15:14       java/ eclipse/ security/ path/ veracode

Question

During veracode scan i got CWE 73 issue in my result. Can someone suggest me how to fix this solution for the below coding scenario?

The existing solutions provide is not working,also i would like to know any ESAPI properties can be used to get rid of this issue?

try { String serviceFile = System.getProperty("PROP", ""); logger.info("service A", "Loading service file [" + serviceFile+ "]."); //Security Issue CWE 73 Occurs in this line }

3 answers

solution1
 0  2019-08-27 17:07:35

There are several solutions for it:

  1. Validate with a whitelist but use the input from the entry point As we mentioned at Use a list of hardcoded values.

  2. Validate with a simple regular expression whitelist

  3. Canonicalise the input and validate the path

I used the first and second solutions and work fine.

More info at: https://community.veracode.com/s/article/how-do-i-fix-cwe-73-external-control-of-file-name-or-path-in-java

solution2
 0  2022-03-31 22:35:43

this document provides detailed information on recommended remedies any explicit custom solution. In my case, I tried whitelisting or blacklisting patterns in the provided method parameters however that still did not resolve CWE-73 risk. I think thats expected and the document does state this:

A static engine is limited in what it can detect. It can only scan your code, it won't actually run your code (unlike Dynamic Scanning). So it won't pick up any custom validation (if conditions, regular expressions, etc.). But that doesn't mean that this is not a perfectly valid solution that removes the risk!

I tried my custom blacklisted pattern based solution and annotated the method with FilePathCleanser as documented in here and it resolved CWE-73 and veracode no longer shows that as a risk.

solution3
 0  2022-07-03 18:00:23

Try to validate this PROP string with Recommended OWASP ESAPI Validator methods, like below.

Example:

String PropParam= ESAPI.validator().getValidInput("",System.getProperty("PROP", ""),"FileRegex",false);

FileRegex is the Regular Expression against which PROP string ie path of the file is getting validated.

Define FileRegex = ^(.+)\/([^\/]+)$ in Validator.properties.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to validate a filename in JAVA to resolve CWE ID 73(External Control of File Name or Path) using ESAPI? CWE-73: External Control of File Name or Path Veracode java solution How to fix CWE 829 - Inclusion of Functionality from Untrusted Control Sphere External Control of File Name or Path security issue How to fix veracode CWE-80 XSS issue while downloading the file? How to fix file upload error when using sendKeys(fileAbsolutePath) to <input type=“file”> in Chrome 73? How to fix Veracode CWE 117 (Improper Output Neutralization for Logs) How do I fix cwe-80 xss in jsp? How to Fix CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') How to split a file path with path and name seperated
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM