Path Traversal not detected when using Apache Commons Fileupload

we are using SonarQube 9.9 Datacenter Edition

Language: Java
Rule: javasecurity:S2083 (other javasecurity-rules are affected as well)

We recently got a report from a penentration test, that identified a Path Traversal vulnerability. I looked into the code and wondered why this was not detected. It looks like SQ is not detecting Apache Commons Fileupload as a taint source, at least not the methods used in our code.

Bad code sample (full code is attached):
TestServlet.txt (1.4 KB)

			ServletFileUpload upload = new ServletFileUpload();
			FileItemIterator iter = upload.getItemIterator(request);
			while(iter.hasNext()) {
				FileItemStream item =;
				if(item.isFormField()) {
					String name = item.getFieldName();
					if(name.equals("filename")) {
						try(InputStream stream = item.openStream()) { 	// source
							String value = Streams.asString(stream); 	// passthrough
							fileName = value;

			try(BufferedReader br = new BufferedReader(new FileReader(fileName))) { // should be path traversal (javasecurity:S2083)

documentation from Apache Commons:

by default this does not get detected. I added a custom SAST engine config to make this work. only adding the source was not enough, I also had to add the passthrough for the helper method:

    "common": {
        "sources": [
                "methodId": "org.apache.commons.fileupload.FileItemStream#openStream()Ljava/io/InputStream;"
        "passthroughs": [
                "methodId": "org.apache.commons.fileupload.util.Streams#asString(Ljava/io/InputStream;)Ljava/lang/String;",
                "isWhitelist": true,
                "args": [1]

Is there any possibility to add this in your default SAST engine config ?
I could add this globally in our config, but it seems the SAST engine config only allows 4000 bytes and if I add all our custom configs in every project we would be above that soon.

1 Like

Hello Roman,

Thanks a lot for your post. You wrote your SQ edition, added a reproducer, even added a custom config to test it. This is the most helpful FP reporting post I ever had this year. I had a look and we support a few methods from this library, but not the one you mentioned, you are right.

Yes, totally. I just created a ticket for that, and I think we should also have a look at the rest of the lib to make sure we do not skip anything.
Unfortunately, it is in a project not visible to the public so you cannot subscribe to its updates.
However, chances are that this configuration will be available in the next version of the taint engine, before 2024. :crossed_fingers: !

Have a good day and thanks again !