1. 技术文章
  2. Fixing Path Manipulation error

Fixing Path Manipulation error

让人想犯罪 __ 提交于 2020-01-05 03:06:07

问题


Fortify is giving Path Manipulation error on line where new File(path) comparison is made. I'm using Struts 2.

Can any one tell me how to fix this issue so that fortify won't give this error?

private boolean filePresent(String fileName) {
    if (fileName != null) {
        String path = getDirPath();
        if (path != null) {
            path = path.endsWith("/") ? path : path + "/";
            path = path + fileName;
            if (new File(path).exists()) {
                setFileName(fileName);
                return true;
            }
        }
    }
    return false;
}

I need to see whether the file is present or not in our web server & hence I'm passing file name as an argument, getting the entire directory path from web.xml, appending it to file name & then composing the path & checking it against File object to see if it is present or not.


回答1:


You don't want the remote web user to see whether C:/Windows/System32 exists, or whether /etc/hosts exists, because that allows them to do forensic research on your server.

You probably didn't realize that your function allows them to do just that, by including an appropriate number of ".." sequences in the input string.

There are two ways to stop the problem:

  1. Whitelist approach. Scrub all the characters in the input parameter and only allow "a" through "z" and perhaps "." Throw an exception if the input falls outside of these bounds.

1a. Or, if you know the list of valid files is less than 20, just list them out and if the input doesn't make an exact match, throw an exception.

  1. Blacklist approach. Check the input and throw an exception if it contains any sequence ".." or any forward slashes or backslashes. This is GENERALLY not a defense in depth, but for your function as I read it right now, this would be OK.



回答2:


You can even use filter to do it like

in Filter 

chain.doFilter(new RequestWrapper((HttpServletRequest) request), response);

in RequestWarper use something like 

if(value.contains("..\\"))
value = value.replace("..\\", "");
        if(value.contains("../"))
            value = value.replace("../", "");
        if(value.contains("./"))
            value = value.replace("./", "");


来源:https://stackoverflow.com/questions/9745896/fixing-path-manipulation-error

标签
java
validation
fortify
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!