You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Alan Mehio (Jira)" <ji...@apache.org> on 2021/04/05 19:19:00 UTC
[jira] [Closed] (CXF-8448) CodeQL : Uncontrolled data used in path
expression. Security check
[ https://issues.apache.org/jira/browse/CXF-8448?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alan Mehio closed CXF-8448.
---------------------------
Fix Version/s: 3.3.10
Resolution: Fixed
The fixes is based on sanitize and remove any potentially dangerous components such as ".." in the directory name. see the latest build for the [PR|https://github.com/apache/cxf/pull/768]
> CodeQL : Uncontrolled data used in path expression. Security check
> -------------------------------------------------------------------
>
> Key: CXF-8448
> URL: https://issues.apache.org/jira/browse/CXF-8448
> Project: CXF
> Issue Type: Bug
> Components: Core
> Affects Versions: 3.3.10
> Reporter: Alan Mehio
> Priority: Minor
> Fix For: 3.3.10
>
>
> CodeQL : Uncontrolled data used in path expression. Security check
> The CodeQL for the build is failing due to [security issue check |https://codeql.github.com/codeql-query-help/java/java-path-injection/] . The build was triggered by push which did a refactor for the file [AttachmentUtil|https://github.com/apache/cxf/pull/768/files#annotation_1255142036]
> As we can see the line which is causing the CodeQL fail is 187 which is as below
> bos.setOutputDir(new File((String)directory));
>
> but the "directory" by an given by the caller which the class has not control over.
> if we see a sample of test cases usage of the AttachmentDeserializer.ATTACHMENT_DIRECTORY
> we can see System.getProperty("java.io.tmpdir") which is on linux
> /tmp and by applying the rule, it will end up with tmp
> I have reported a [false positive issue|https://github.com/github/codeql/issues/5598] to the CodeQL project
> Also please take a look at the security issues from the [LGTM.com site security error list|https://lgtm.com/projects/g/apache/cxf/alerts/?mode=list&result_filter=0e00f5fa7b93849767c1677dc71d9400f85c6a54]
> and the [issue is reported there |https://lgtm.com/projects/g/apache/cxf/snapshot/018c47bd2be8213910b34d1cfb2aabf796c40b7e/files/core/src/main/java/org/apache/cxf/attachment/AttachmentUtil.java?sort=name&dir=ASC&mode=heatmap#x5d0eff0d14e724ce:1]
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)