Menu
I'm creating a new file as classpath resource. With the following code, there are critical and high level Path Manipulation issues on Fortify.
public class A {
@Value("classpath:test")
private Resource resource;
public void createFile(MultipartFile sourceFile) {
String fName = FilenameUtils.normalize(sourceFile.getOriginalFilename());
//path manipulation
File newFile = Paths.get(resource.getFile().getPath(),fName).normalize().toFile();
...
}
}
I've tried also normalize the path with FilenameUtils, but still getting the same issues on Fortify. Are these Path Manipulation errors meaningful? Is there any other viable solution?
Btw Sonar scans are clean for vulnerability.
Thanks for any advice!
Regards
751
asked Apr 16 '26 09:04
public static String normalize(String fileName)Normalizes a path, removing double and single dot path steps.
This method normalizes a path to a standard format. The input may contain separators in either Unix or Windows format. The output will contain separators in the format of the system.
Its a false positive. Most likely, the scan is done with fortify unaware of apache commons-io library. You should seek counsel with whoever scans the thing and see if he had further comment on the issue (you can throw in the code for discussion).
88
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
