Menu
I'm getting above warning with 'Method java.io.File reads a file whose location is specified by user input' message after running findbugs in the below code snippet.
public void removeFile(String warfileName){
File warFile = new File(homePath + "/samples/" + warFileName + ".war");
.....
}
What would be the best way of fixing this security isssue?
257
As @Jeet pointed out, one solution is described into the page. Basically, it sugests to use a framework to "normalize" the user input, ie:
File file = new File("resources/images/", image); //Weak point
File file = new File("resources/images/", FilenameUtils.getName(image)); //Fix
The problem with this solution is that it introduces a dependency to your project (to Apache Commons).
So instead using FilenameUtils.getName, you could try to use java 7 Files and Path. Probably Path#getFileName() would help to fix the vunerability.
169
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
