we are using SonarQube 9.9 Datacenter Edition
Language: Java
Rule: javasecurity:S2083 (other javasecurity-rules are affected as well)
We recently got a report from a penentration test, that identified a Path Traversal vulnerability. I looked into the code and wondered why this was not detected. It looks like SQ is not detecting Apache Commons Fileupload as a taint source, at least not the methods used in our code.
Bad code sample (full code is attached):
TestServlet.txt (1.4 KB)
ServletFileUpload upload = new ServletFileUpload();
FileItemIterator iter = upload.getItemIterator(request);
while(iter.hasNext()) {
FileItemStream item = iter.next();
if(item.isFormField()) {
String name = item.getFieldName();
if(name.equals("filename")) {
try(InputStream stream = item.openStream()) { // source
String value = Streams.asString(stream); // passthrough
fileName = value;
}
}
}
}
try(BufferedReader br = new BufferedReader(new FileReader(fileName))) { // should be path traversal (javasecurity:S2083)
documentation from Apache Commons:
https://commons.apache.org/proper/commons-fileupload/using.html
by default this does not get detected. I added a custom SAST engine config to make this work. only adding the source was not enough, I also had to add the passthrough for the helper method:
{
"common": {
"sources": [
{
"methodId": "org.apache.commons.fileupload.FileItemStream#openStream()Ljava/io/InputStream;"
}
],
"passthroughs": [
{
"methodId": "org.apache.commons.fileupload.util.Streams#asString(Ljava/io/InputStream;)Ljava/lang/String;",
"isWhitelist": true,
"args": [1]
}
]
}
}
Is there any possibility to add this in your default SAST engine config ?
I could add this globally in our config, but it seems the SAST engine config only allows 4000 bytes and if I add all our custom configs in every project we would be above that soon.
!