[英]How to fix Fortify Path Manipulation ( Input Validation and Representation , Data Flow ) vulnerability
我在使用新關鍵字創建文件時強化了路徑操作漏洞
我試圖在將路徑傳遞給File對象之前對其進行清理,但是問題仍然存在。 還嘗試了此鏈接: https : //www.securecoding.cert.org/confluence/display/java/FIO00-J.+Do+not+operate+on+files+in+shared+directories
public static String sanitizePath(String sUnsanitized) throws URISyntaxException, EncodingException {
String sSanitized = SAPI.encoder().canonicalize(sUnsanitized);
return sSanitized;
}
//// the main method code snippet /////
String sSanitizedPath = Utils.sanitizePath(file.getOriginalFilename());
-- fortify scan detects problem here ..in below line --
File filePath = new File(AppInitializer.UPLOAD_LOCATION, sSanitizedPath);
String canonicalPath = filePath.getCanonicalPath();
FileOutputStream fileOutputStream = new FileOutputStream(canonicalPath);
經過santizePath之后,我認為掃描不會被選擇,而是這樣做了。
此“ sunsanitized”變量來自用戶輸入嗎? 也許這是您的真正問題。
永遠不要相信用戶輸入其發展的第一法則。
XML外部實體注入(輸入驗證和表示,數據流)
[英]XML External Entity Injection (Input Validation and Representation, Data Flow)
拒絕服務:正則表達式(輸入驗證和表示,數據流)
[英]Denial of Service: Regular Expression (Input Validation and Representation, Data Flow)
跨站點腳本:差的驗證(輸入驗證和表示,數據流)
[英]Cross-Site Scripting: Poor Validation (Input Validation and Representation, Data Flow)
Fortify如何修復“通過調用println()公開系統數據或調試信息”
[英]How to fix “reveal system data or debugging information by calling println()” by Fortify
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.