Prevent path traversal

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Metadata

ID: java-security/path-traversal

Language: Java

Severity: Warning

Category: Security

CWE: 22

Description

This rule prevents security vulnerabilities that allow an attacker to read, write, or delete files on the server that they should not have access to. This type of attack, known as Path Traversal or Directory Traversal, involves manipulating variables that reference files with ../ sequences and its variations.

The potential harm of this vulnerability is significant, as it can lead to unauthorized access to sensitive data, corruption of system files, or even complete takeover of the server. It is, therefore, crucial to implement safeguards against path traversal attacks in your code.

In Java, you can avoid path traversal vulnerabilities by not using user input directly to access file paths. If you must use user input, ensure that it is properly sanitized. For example, you could use a whitelist of acceptable inputs, or strip out or deny any input containing ‘..’ or similar sequences. In the provided code, the user input (param) is used to construct a file path (fileName), but it is first checked to ensure that it does not contain any path traversal sequences. This makes the code compliant with the ‘Prevent path traversal’ rule.

Non-Compliant Code Examples

import org.apache.commons.io.FilenameUtils;

class Compliant {
    @GET
    @Path("/images/{image}")
    @Produces("images/*")
    public Response getImage(@javax.ws.rs.PathParam("image") String image) {
        File file = new File("resources/images/", image);

        if (!file.exists()) {
            return Response.status(Status.NOT_FOUND).build();
        }

        return Response.ok().entity(new FileInputStream(file)).build();
    }
}

Compliant Code Examples

import org.apache.commons.io.FilenameUtils;

class Compliant {
    @GET
    @Path("/images/{image}")
    @Produces("images/*")
    public Response getImage(@javax.ws.rs.PathParam("image") String image) {
        File file = new File(
            "resources/images/",
            // Use of sanitizer:
            FilenameUtils.getName(image)
        );

        if (!file.exists()) {
            return Response.status(Status.NOT_FOUND).build();
        }

        return Response.ok().entity(new FileInputStream(file)).build();
    }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis

Datadog Code Analysis