This rule prevents security vulnerabilities that allow an attacker to read, write, or delete files on the server that they should not have access to. This type of attack, known as Path Traversal or Directory Traversal, involves manipulating variables that reference files with ../ sequences and its variations.
The potential harm of this vulnerability is significant, as it can lead to unauthorized access to sensitive data, corruption of system files, or even complete takeover of the server. It is, therefore, crucial to implement safeguards against path traversal attacks in your code.
In Java, you can avoid path traversal vulnerabilities by not using user input directly to access file paths. If you must use user input, ensure that it is properly sanitized. For example, you could use a whitelist of acceptable inputs, or strip out or deny any input containing ‘..’ or similar sequences. In the provided code, the user input (param) is used to construct a file path (fileName), but it is first checked to ensure that it does not contain any path traversal sequences. This makes the code compliant with the ‘Prevent path traversal’ rule.
Non-Compliant Code Examples
/**
* OWASP Benchmark v1.2
*
* <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For
* details, please see <a
* href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
*
* <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
* of the GNU General Public License as published by the Free Software Foundation, version 2.
*
* <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
* PURPOSE. See the GNU General Public License for more details.
*
* @author Dave Wichers
* @created 2015
*/packageorg.owasp.benchmark.testcode;importjava.io.IOException;importjavax.servlet.ServletException;importjavax.servlet.annotation.WebServlet;importjavax.servlet.http.HttpServlet;importjavax.servlet.http.HttpServletRequest;importjavax.servlet.http.HttpServletResponse;@WebServlet(value="/pathtraver-00/BenchmarkTest00045")publicclassBenchmarkTest00045extendsHttpServlet{privatestaticfinallongserialVersionUID=1L;@OverridepublicvoiddoGet(HttpServletRequestrequest,HttpServletResponseresponse)throwsServletException,IOException{doPost(request,response);}@OverridepublicvoiddoPost(HttpServletRequestrequest,HttpServletResponseresponse)throwsServletException,IOException{// some code
response.setContentType("text/html;charset=UTF-8");String[]values=request.getParameterValues("BenchmarkTest00045");Stringparam;if(values!=null&&values.length>0)param=values[0];elseparam="";StringfileName=org.owasp.benchmark.helpers.Utils.TESTFILES_DIR+param;try(// Create the file first so the test won't throw an exception if it doesn't exist.
// Note: Don't actually do this because this method signature could cause a tool to find
// THIS file constructor
// as a vuln, rather than the File signature we are trying to actually test.
// If necessary, just run the benchmark twice. The 1st run should create all the necessary
// files.
// new java.io.File(org.owasp.benchmark.helpers.Utils.TESTFILES_DIR +
// param).createNewFile();
java.io.FileOutputStreamfos=newjava.io.FileOutputStream(newjava.io.FileInputStream(fileName).getFD());){response.getWriter().println("Now ready to write to file: "+org.owasp.esapi.ESAPI.encoder().encodeForHTML(fileName));}catch(Exceptione){System.out.println("Couldn't open FileOutputStream on file: '"+fileName+"'");}}}
Seamless integrations. Try Datadog Code Analysis
Datadog Code Analysis
Try this rule and analyze your code with Datadog Code Analysis
How to use this rule
1
2
rulesets:- java-security # Rules to enforce Java security.
Create a static-analysis.datadog.yml with the content above at the root of your repository
Use our free IDE Plugins or add Code Analysis scans to your CI pipelines
