Path Traversal Vulnerability
Description
The filename provided by the FileUpload API can be tampered with by the client to reference unauthorized files. The provided filename should be properly validated to ensure it's properly structured, contains no unauthorized path characters, and refers to an authorized file.
Examples
Insecure Code
java
String input = req.getHeader("input");
String safePath = "images/userprofiles/" + input;Secure Code
java
String input = req.getHeader("input");
input = org.apache.commons.io.FilenameUtils.getName(input);
String safePath = org.apache.commons.io.FilenameUtils.concat("images/userprofiles/", input);Remediation
Use the getName() method with concat() method to remove potentially malicious path traversal and limit the scope to a restricted directory. Alternatively, use the resolve() method along with startsWith() method to verify that the base path of the file is safe and expected.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0704 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-22 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | Path Traversal, FileUpload API |
| OWASP | A5:2017-Broken Access Control, A01:2021-Broken Access Control |