このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください 。
このルールを試す ID: java-security/spring-request-file-tainted
Language: Java
Severity: Notice
Category: Security
CWE : 23
Description An attacker could try to pass a filename of content that could traverse the server path and control system files. Make sure all user-inputs is checked and sanitized before use.
Learn More Non-Compliant Code Examples class Test {
@PostMapping ( value = "/fileupload" )
public ModelAndView importFile ( @RequestParam ( "file" ) MultipartFile myFile ) throws IOException {
var user = ( WebGoatUser ) SecurityContextHolder . getContext (). getAuthentication (). getPrincipal ();
var destinationDir = new File ( fileLocation , user . getUsername ());
destinationDir . mkdirs ();
myFile . transferTo ( new File ( destinationDir , myFile . getOriginalFilename ()));
log . debug ( "File saved to {}" , new File ( destinationDir , myFile . getOriginalFilename ()));
return new ModelAndView (
new RedirectView ( "files" , true ),
new ModelMap (). addAttribute ( "uploadSuccess" , "File uploaded successful" ));
}
}
Seamless integrations. Try Datadog Code Analysis