Input_Path_Not_Canonicalized - PathTravesal Vulnerability in checkmarx

Question

Input_Path_Not_Canonicalized - PathTravesal Vulnerability in checkmarx

11.4k views Asked by dev29 At 12 February 2021 at 11:26

I am facing path traversal vulnerability while analyzing code through checkmarx. I am fetching path with below code:

String path  = System.getenv(variableName);

and "path" variable value is traversing through many functions and finally used in one function with below code snippet:

File file = new File(path);

Checkmarx is marking it as medium severity vulnerability.

Please help. How to resolve it to make it compatible with checkmarx?

Original Q&A

There are 2 answers

**Atul Dwivedi** · Answer 1 · 2021-03-26T11:12:49+00:00

Atul Dwivedi On 26 March 2021 at 11:12

You can generate canonicalized path by calling File.getCanonicalPath().

In your case:

String path  = System.getenv(variableName);
path = new File(path).getCanonicalPath();

For more information read Java Doc

**securecodeninja** · Answer 2 · 2021-03-30T02:15:24+00:00

Other answers that I believe Checkmarx will accept as sanitizers include Path.normalize:

import java.nio.file.*;

String path  = System.getenv(variableName);
Path p = Paths.get(path);
Path normalizedPath = p.normalize();
path = new File(normalizedPath.toString());

or the FilenameUtils.normalize method:

import org.apache.commons.io.FilenameUtils;

String path  = System.getenv(variableName);
File file = new File(FilenameUtils.normalize(path));

TechQA.

Input_Path_Not_Canonicalized - PathTravesal Vulnerability in checkmarx

There are 2 answers

Related Questions in PATH

Related Questions in CHECKMARX

Related Questions in SECURE-CODING

Related Questions in PATH-TRAVERSAL

Popular Questions

Popular Tags

Trending Questions