This rule prevents security vulnerabilities that allow an attacker to read, write, or delete files on the server that they should not have access to. This type of attack, known as Path Traversal or Directory Traversal, involves manipulating variables that reference files with ../ sequences and its variations.
The potential harm of this vulnerability is significant, as it can lead to unauthorized access to sensitive data, corruption of system files, or even complete takeover of the server. It is, therefore, crucial to implement safeguards against path traversal attacks in your code.
In Java, you can avoid path traversal vulnerabilities by not using user input directly to access file paths. If you must use user input, ensure that it is properly sanitized. For example, you could use a whitelist of acceptable inputs, or strip out or deny any input containing ‘..’ or similar sequences. In the provided code, the user input (param) is used to construct a file path (fileName), but it is first checked to ensure that it does not contain any path traversal sequences. This makes the code compliant with the ‘Prevent path traversal’ rule.
importorg.apache.commons.io.FilenameUtils;classCompliant{@GET@Path("/images/{image}")@Produces("images/*")publicResponsegetImage(@javax.ws.rs.PathParam("image")Stringimage){Filefile=newFile("resources/images/",// Use of sanitizer:FilenameUtils.getName(image));if(!file.exists()){returnResponse.status(Status.NOT_FOUND).build();}returnResponse.ok().entity(newFileInputStream(file)).build();}}
シームレスな統合。 Datadog Code Security をお試しください
Datadog Code Security
このルールを試し、Datadog Code Security でコードを解析する
このルールの使用方法
1
2
rulesets:- java-security # Rules to enforce Java security.
