You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@commons.apache.org by "Sravan Putluru (Jira)" <ji...@apache.org> on 2020/03/12 14:28:00 UTC

[jira] [Commented] (IO-559) FilenameUtils.normalize should verify hostname syntax in UNC path

    [ https://issues.apache.org/jira/browse/IO-559?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17057966#comment-17057966 ] 

Sravan Putluru commented on IO-559:
-----------------------------------

Project uses normalize() to generated file path based on windows\linux but in VeraCode security can report method used line detected as Directory Traversal T issue as medium flaws.
Common.io 2.6 API Unexpected behavior with normalize(String s) method is not performing validations on path input. "../ " is allowing but return as Null if the input type is some thing like "../../". with the below lines of code checks can be remove path DT vulnerabilities issue. Could somebody please give solution.
Veracode report result Directiry Travesal medium flaws detected need to fix.

fileName = "../../etc/passwd";

fileName = FilenameUtils.normalize(fileName); // still holds the same value ("//../foo")

if (fileName != null)

{ // file creation path eg: drivec\root\06-03-2020\folder\test }

else

{ throw new CustomerException("Invalid path creation found"); }

> FilenameUtils.normalize should verify hostname syntax in UNC path
> -----------------------------------------------------------------
>
>                 Key: IO-559
>                 URL: https://issues.apache.org/jira/browse/IO-559
>             Project: Commons IO
>          Issue Type: Bug
>          Components: Utilities
>    Affects Versions: 2.6
>            Reporter: Stefan Bodewig
>            Priority: Major
>             Fix For: 2.7
>
>
> {{FilenameUtils.normalize}} will accept broken file names as UNC path even if their hostname part doesn't match the syntax of a proper hostname. Using certain hostnames like "." this may lead to strange side effects.
> Most likely the best fix will be to make {{getPrefixLength}} verify the hostname part of a suspected UNC path and return a value of {{NOT_FOUND}} if it is not a valid hostname - much like it does for triple slashes.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)