You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Alan Mehio (Jira)" <ji...@apache.org> on 2021/04/05 19:19:00 UTC

[jira] [Closed] (CXF-8448) CodeQL : Uncontrolled data used in path expression. Security check

     [ https://issues.apache.org/jira/browse/CXF-8448?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Alan Mehio closed CXF-8448.
---------------------------
    Fix Version/s: 3.3.10
       Resolution: Fixed

The fixes is based on  sanitize and remove any potentially dangerous components  such as ".." in the directory name.   see the latest build for the [PR|https://github.com/apache/cxf/pull/768]

 

> CodeQL : Uncontrolled data used in path expression. Security check 
> -------------------------------------------------------------------
>
>                 Key: CXF-8448
>                 URL: https://issues.apache.org/jira/browse/CXF-8448
>             Project: CXF
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 3.3.10
>            Reporter: Alan Mehio
>            Priority: Minor
>             Fix For: 3.3.10
>
>
> CodeQL : Uncontrolled data used in path expression. Security check 
> The CodeQL for the build is failing due to [security issue check |https://codeql.github.com/codeql-query-help/java/java-path-injection/]  . The build was triggered by push which  did a refactor for the file  [AttachmentUtil|https://github.com/apache/cxf/pull/768/files#annotation_1255142036]   
> As we can see the line which is causing the CodeQL fail is 187 which is as below
> bos.setOutputDir(new File((String)directory));
>  
> but the "directory"  by an given by the caller which the class has not control over. 
> if we see a sample of test cases usage of the AttachmentDeserializer.ATTACHMENT_DIRECTORY
> we can see  System.getProperty("java.io.tmpdir") which is on linux
> /tmp and by applying the rule, it will end up with tmp 
> I have reported a [false positive issue|https://github.com/github/codeql/issues/5598] to the CodeQL  project
> Also please take a look at the security issues  from the [LGTM.com site security error list|https://lgtm.com/projects/g/apache/cxf/alerts/?mode=list&result_filter=0e00f5fa7b93849767c1677dc71d9400f85c6a54]
> and the [issue is reported there |https://lgtm.com/projects/g/apache/cxf/snapshot/018c47bd2be8213910b34d1cfb2aabf796c40b7e/files/core/src/main/java/org/apache/cxf/attachment/AttachmentUtil.java?sort=name&dir=ASC&mode=heatmap#x5d0eff0d14e724ce:1]
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)