Prevent path traversal

This product is not supported for your selected Datadog site. ().
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: java-security/path-traversal

Language: Java

Severity: Warning

Category: Security

CWE: 22

Description

This rule prevents security vulnerabilities that allow an attacker to read, write, or delete files on the server that they should not have access to. This type of attack, known as Path Traversal or Directory Traversal, involves manipulating variables that reference files with ../ sequences and its variations.

The potential harm of this vulnerability is significant, as it can lead to unauthorized access to sensitive data, corruption of system files, or even complete takeover of the server. It is, therefore, crucial to implement safeguards against path traversal attacks in your code.

In Java, you can avoid path traversal vulnerabilities by not using user input directly to access file paths. If you must use user input, ensure that it is properly sanitized. For example, you could use a whitelist of acceptable inputs, or strip out or deny any input containing ‘..’ or similar sequences. In the provided code, the user input (param) is used to construct a file path (fileName), but it is first checked to ensure that it does not contain any path traversal sequences. This makes the code compliant with the ‘Prevent path traversal’ rule.

Non-Compliant Code Examples

import org.apache.commons.io.FilenameUtils;

class Compliant {
    @GET
    @Path("/images/{image}")
    @Produces("images/*")
    public Response getImage(@javax.ws.rs.PathParam("image") String image) {
        File file = new File("resources/images/", image);

        if (!file.exists()) {
            return Response.status(Status.NOT_FOUND).build();
        }

        return Response.ok().entity(new FileInputStream(file)).build();
    }
}

Compliant Code Examples

import org.apache.commons.io.FilenameUtils;

class Compliant {
    @GET
    @Path("/images/{image}")
    @Produces("images/*")
    public Response getImage(@javax.ws.rs.PathParam("image") String image) {
        File file = new File(
            "resources/images/",
            // Use of sanitizer:
            FilenameUtils.getName(image)
        );

        if (!file.exists()) {
            return Response.status(Status.NOT_FOUND).build();
        }

        return Response.ok().entity(new FileInputStream(file)).build();
    }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

원활한 통합. Datadog Code Security를 경험해 보세요

Datadog Code Security