How to correct Path Manipulation error given by fortify?

Question

I need to read the properties file kept in user_home folder.

PropsFile = System.getProperty(\"user.home\") + System.getProperty(\"file.separator\")+ \"x.pro         


        

Answer 1

Instead of trying to remove the Fortify error, I urge you to think about the security vulnerability.

The problem is that user.home could be crafted, possibly with the -D vm arg, to allow any file named x.properties potentialy anywhere on the system to be opened, or be destroyed. For example, setting user.home to /usr/local would not be detetcted by your blacklisting. Any file called /usr/local/x.properties could then be read or overwritten.

You need to challenge why any value of user.home can be allowed. You need to check that the path you get from user.home starts with a certain location (say, /home). This is caled whitelist validation and is a common and well-known fix for security vulnerabilities. Once you do establish that the supplied path has a root in a known location then do you your blacklisting for directory transversal.

I know this is a pain but the attempt to fix this with blacklisting alone is fraught with peril and will never fix the problem. And it is a real security issue, not just a Fortify error.