Our team started using SonarCloud a few weeks ago. In a penetration test, an issue was identified, which allowed access to files outside of the wanted directory.
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response) {
Optional<String> fileName = Arrays.stream(request.getPathInfo().split("/"))
.skip(1)
.reduce((s1, s2) -> s1 + "/" + s2);
HttpSession session = request.getSession();
writeFileToResponse(session, response, fileName);
. .
}
protected void writeFileToResponse(HttpSession session, HttpServletResponse response, String fileName)
throws IOException {
. . .
Path userTempDir = . . .
try (OutputStream os = response.getOutputStream()) {
Files.copy(userTempDir.resolve(fileName), os);
}
}
Since fileName is a query parameter and passed to userTempDir.resolve, this issue arises.
i.E. if the fileName is “a.pdf”, resolve will be “C:\temp\user\a.pdf”
but if the fileName is “C:\Windows\System32\drivers\etc\hosts”, resolve will be the full absolute path “C:\Windows\System32\drivers\etc\hosts” leading to a serious vulnerability.
Shouldn’t sonar have a rule for this? Or what am I missing?
Best regards