External Control of File Name or Path (CWE ID 73)

File fileDir = new File(fileDirectory);
File file = new File(fileDir, fileName);

in the last line i am getting “This call to java.io.File() contains a path manipulation flaw. The argument to the function is a filename constructed using untrusted input.”

Help me to solve it.


Please provide a bit more information - no one will be able to help you with what you provided.

This is the way we are getting input.

 String fileName = _request.getParameter(“fileName”);

veracode scanner has reported this flaw.

Anything could be inside that parameter, even a malicious filepath that actually points to a config file containing passwords. You’ll need to validate the string, make sure it contains things that you’d expect. 

I am sorry, what kind of validation will veracode understand?
Can you give a code example?
Thank you in advance!

Read this.

Please check this link https://downloads.veracode.com/securityscan/cwe/v5/net/73.html#example