SonarCloud Change this code to not construct the path from user-controlled data

chinh · February 22, 2024, 10:09am

Get sonar warining

Change this code to not construct the path from user-controlled data.

I/O function calls should not be vulnerable to path injection attacks [javasecurity:S2083]
Code

BufferedInputStream input = null;
		BufferedOutputStream output = null;
		try {
			InputStream is = new FileInputStream(validateImagePath(imageBasePath, fullpath));
                }  finally {
		    if (output != null) try { output.close(); output.flush(); } catch (IOException logOrIgnore) {}
		    if (input != null) try { input.close(); } catch (IOException logOrIgnore) {}
		}

public static File validateImagePath(String imageBasePath, String fullPath) throws IOException {
		File file = new File(fullPath);
		return validateImagePath(imageBasePath, file);
	}

	public static File validateImagePath(String imageBasePath, File file) throws IOException {
		Path targetPath = new File(imageBasePath).toPath().normalize();
		if(!file.toPath().normalize().startsWith(targetPath)) {
			throw new IOException(String.format("Image %s is outside of the target directory %s", file.getAbsolutePath(), imageBasePath));
		}
		return file;
	}

Still get warning after the fix is applied
Pls help/advise

sebastien.andrivet · February 28, 2024, 11:08am

Hi,

Thank you for the code example. I am not sure to understand what you mean by:

Which fix have you applied?

Can you give also some context such as the version of SonarQube you are using?

Regards

Sebastien