![](/img/trans.png)
[英]XML External Entity Injection (Input Validation and Representation, Data Flow)
[英]How to fix Fortify Path Manipulation ( Input Validation and Representation , Data Flow ) vulnerability
我在使用新关键字创建文件时强化了路径操作漏洞
我试图在将路径传递给File对象之前对其进行清理,但是问题仍然存在。 还尝试了此链接: https : //www.securecoding.cert.org/confluence/display/java/FIO00-J.+Do+not+operate+on+files+in+shared+directories
public static String sanitizePath(String sUnsanitized) throws URISyntaxException, EncodingException {
String sSanitized = SAPI.encoder().canonicalize(sUnsanitized);
return sSanitized;
}
//// the main method code snippet /////
String sSanitizedPath = Utils.sanitizePath(file.getOriginalFilename());
-- fortify scan detects problem here ..in below line --
File filePath = new File(AppInitializer.UPLOAD_LOCATION, sSanitizedPath);
String canonicalPath = filePath.getCanonicalPath();
FileOutputStream fileOutputStream = new FileOutputStream(canonicalPath);
经过santizePath之后,我认为扫描不会被选择,而是这样做了。
此“ sunsanitized”变量来自用户输入吗? 也许这是您的真正问题。
永远不要相信用户输入其发展的第一法则。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.