Hello,
SonarQube displays the following error:
“Change this code to not construct the path from user-controlled data”
All the solutions across the web are based on a predefined parent-path that is used to validate the user-controlled path.
In the legacy application I’m supporting, the whole path is received from the user.
Is there any way to solve this Sonar issue in this case?
I’m using SonarQube Enterprise Edition v10.6 (92116)
Can you tell me why you don’t know the parent directory? Is it because the application is supposed to be able to write to arbitrary directories? In that case, it is vulnerable by design and there is not much you can do without changing the behavior of the application. You have to decide for yourself then if it is an acceptable risk, e.g., who has access to the functionality that can write to arbitrary locations?
Hello Hendrick,
Thank you for your answer.
Yes, the parent directory is unknown because it’s an engineering tool that was designed to access paths on the local network.
Eventually I got to the same conclusion as you did and changed the behavior of the application to access only a specific folder, and that solved the issue.