Avoid user-input file

Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST Rules > Avoid user-input file

Metadata

ID: java-security/spring-request-file-tainted

Language: Java

Severity: Notice

Category: Security

CWE: 23

Description

An attacker could try to pass a filename of content that could traverse the server path and control system files. Make sure all user-inputs is checked and sanitized before use.

Learn More

CWE-23 - Relative Path Traversal

Non-Compliant Code Examples

class Test {
  @PostMapping(value = "/fileupload")
  public ModelAndView importFile(@RequestParam("file") MultipartFile myFile) throws IOException {
    var user = (WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
    var destinationDir = new File(fileLocation, user.getUsername());
    destinationDir.mkdirs();
    myFile.transferTo(new File(destinationDir, myFile.getOriginalFilename()));
    log.debug("File saved to {}", new File(destinationDir, myFile.getOriginalFilename()));

    return new ModelAndView(
        new RedirectView("files", true),
        new ModelMap().addAttribute("uploadSuccess", "File uploaded successful"));
  }
}

Compliant Code Examples

class Test {
  @PostMapping(value = "/fileupload")
  public ModelAndView importFile(@RequestParam("file") MultipartFile myFile) throws IOException {
    // Safe: using sanitized filename
    String sanitizedFilename = "upload_" + System.currentTimeMillis() + ".dat";
    File destinationDir = new File(fileLocation);
    myFile.transferTo(new File(destinationDir, sanitizedFilename));
    return new ModelAndView(new RedirectView("files", true));
  }
}