The below simple java code getting Fortify Path Manipulation error. Please help me to resolve this. I am struggling from long time. <pre class="prettyprint"><code>public class Test { public static void main(String[] args) { File file=new File(args[0]); } } </code></pre>

Try to normalize the URL before using it https://docs.oracle.com/javase/7/docs/api/java/net/URI.html#normalize() <pre class="prettyprint"><code>Path path = Paths.get("/foo/../bar/../baz").normalize(); </code></pre> or use normalize from org.apache.commons.io.FilenameUtils https://commons.apache.org/proper/commons-io/javadocs/api-1.4/org/apache/commons/io/FilenameUtils.html#normalize(java.lang.String) <pre class="prettyprint"><code>Stirng path = FilenameUtils.normalize("/foo/../bar/../baz"); </code></pre> For both the result will be <code>\baz</code>

Looking at the OWASP page for Path Manipulation, it says <blockquote> An attacker can specify a path used in an operation on the filesystem </blockquote> You are opening a file as defined by a user-given input. Your code is almost a perfect example of the vulnerability! Either <ol> <li>Don't use the above code (don't let the user specify the input file as an argument)</li> <li>Let the user choose from a list of files that you supply (an array of files with an integer choice)</li> <li>Don't let the user supply the filename at all, remove the configurability</li> <li>Accept the vulnerability but protect against it by checking the filename (although this is the worst thing to do - someone may get round it anyway).</li> </ol> Or re-think your application's design.

How to fix "Path Manipulation Vulnerability" in some Java Code?

The below simple java code getting Fortify Path Manipulation error. Please help me to resolve this. I am struggling from long time.

public class Test {
    public static void main(String[] args) {
        File file=new File(args[0]);
    }

}

What is path manipulation in Java?

Description: File path manipulation File path manipulation vulnerabilities arise when user-controllable data is placed into a file or URL path that is used on the server to access local resources, which may be within or outside the web root.

What is fortify issues in Java?

One of the common issues reported by Fortify is the Path Manipulation issue. The issue is that if you take data from an external source, then an attacker can use that source to manipulate your path. Thus enabling the attacker do delete files or otherwise compromise your system.

Try to normalize the URL before using it

https://docs.oracle.com/javase/7/docs/api/java/net/URI.html#normalize()

Path path = Paths.get("/foo/../bar/../baz").normalize();

or use normalize from org.apache.commons.io.FilenameUtils

https://commons.apache.org/proper/commons-io/javadocs/api-1.4/org/apache/commons/io/FilenameUtils.html#normalize(java.lang.String)

Stirng path = FilenameUtils.normalize("/foo/../bar/../baz");

For both the result will be \baz

Looking at the OWASP page for Path Manipulation, it says

An attacker can specify a path used in an operation on the filesystem

You are opening a file as defined by a user-given input. Your code is almost a perfect example of the vulnerability! Either

Don't use the above code (don't let the user specify the input file as an argument)
Let the user choose from a list of files that you supply (an array of files with an integer choice)
Don't let the user supply the filename at all, remove the configurability
Accept the vulnerability but protect against it by checking the filename (although this is the worst thing to do - someone may get round it anyway).

Or re-think your application's design.

Fortify will flag the code even if the path/file doesn't come from user input like a property file. The best way to handle these is to canonicalize the path first, then validate it against a white list of allowed paths.

Bad:

public class Test {
    public static void main(String[] args) {
        File file=new File(args[0]);
    }

}

Good:

public class Test {
    public static void main(String[] args) {
        File file=new File(args[0]);
        if (!isInSecureDir(file)) {
              throw new IllegalArgumentException();
            }
            String canonicalPath = file.getCanonicalPath();
        if (!canonicalPath.equals("/img/java/file1.txt") &&
            !canonicalPath.equals("/img/java/file2.txt")) {
           // Invalid file; handle error
        }

        FileInputStream fis = new FileInputStream(f);
    }

Source: https://www.securecoding.cert.org/confluence/display/java/FIO16-J.+Canonicalize+path+names+before+validating+them

Only allow alnum and a period in input. That means you filter out the control chars, "..", "/", "\" which would make your files vulnerable. For example, one should not be able to enter /path/password.txt.

Once done, rescan and then run Fortify AWB.

How to fix "Path Manipulation Vulnerability" in some Java Code?

Tags:

security

path-manipulation

fortify

mohan

People also ask

4 Answers

Cassian

Joe

BrianKeys

user1366399

Recent Activity

Donate For Us

How to fix "Path Manipulation Vulnerability" in some Java Code?

Tags:

security

path-manipulation

fortify

mohan

People also ask

4 Answers

Cassian

Joe

BrianKeys

user1366399

Related questions

Recent Activity

Donate For Us