![](/img/trans.png)
[英]XML External Entity Injection (Input Validation and Representation, Data Flow)
[英]How to fix Fortify Path Manipulation ( Input Validation and Representation , Data Flow ) vulnerability
我在使用新關鍵字創建文件時強化了路徑操作漏洞
我試圖在將路徑傳遞給File對象之前對其進行清理,但是問題仍然存在。 還嘗試了此鏈接: https : //www.securecoding.cert.org/confluence/display/java/FIO00-J.+Do+not+operate+on+files+in+shared+directories
public static String sanitizePath(String sUnsanitized) throws URISyntaxException, EncodingException {
String sSanitized = SAPI.encoder().canonicalize(sUnsanitized);
return sSanitized;
}
//// the main method code snippet /////
String sSanitizedPath = Utils.sanitizePath(file.getOriginalFilename());
-- fortify scan detects problem here ..in below line --
File filePath = new File(AppInitializer.UPLOAD_LOCATION, sSanitizedPath);
String canonicalPath = filePath.getCanonicalPath();
FileOutputStream fileOutputStream = new FileOutputStream(canonicalPath);
經過santizePath之后,我認為掃描不會被選擇,而是這樣做了。
此“ sunsanitized”變量來自用戶輸入嗎? 也許這是您的真正問題。
永遠不要相信用戶輸入其發展的第一法則。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.