SonarCloud not identifying issue

SonarCloud
, ,
1

Our team started using SonarCloud a few weeks ago. In a penetration test, an issue was identified, which allowed access to files outside of the wanted directory.

@Override
public void doGet(HttpServletRequest request, HttpServletResponse response) {
    Optional<String> fileName = Arrays.stream(request.getPathInfo().split("/"))
        .skip(1)
        .reduce((s1, s2) -> s1 + "/" + s2);
      HttpSession session = request.getSession();
     writeFileToResponse(session, response, fileName);
     . . 
}

protected void writeFileToResponse(HttpSession session, HttpServletResponse response, String fileName)
      throws IOException {
    . . . 
    Path userTempDir = . . . 
    try (OutputStream os = response.getOutputStream()) {
      Files.copy(userTempDir.resolve(fileName), os);
    }
  }

Since fileName is a query parameter and passed to userTempDir.resolve, this issue arises.
i.E. if the fileName is “a.pdf”, resolve will be “C:\temp\user\a.pdf”
but if the fileName is “C:\Windows\System32\drivers\etc\hosts”, resolve will be the full absolute path “C:\Windows\System32\drivers\etc\hosts” leading to a serious vulnerability.

Shouldn’t sonar have a rule for this? Or what am I missing?

Best regards

6

Hello,

We have a rule to detect such vulnerability. This is S2083.

Unfortunately, you found a limitation of our engine: we don’t support well Java Streams in our taint analyzer. That’s a topic we want to address to increase our detection rate.

Regards
Alex

1 Like
8

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.