Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
jayasharma8
jayasharma8
Copilot Lvl 2
‎02-12-2018 11:02 PM
Message 1 of 6

External Control of File Name or Path (CWE ID 73)

File fileDir = new File(fileDirectory);
File file = new File(fileDir, fileName);

 

in the last line i am getting "This call to java.io.File() contains a path manipulation flaw. The argument to the function is a filename constructed using untrusted input."

 

Help me to solve it.

Thanks

0 Kudos
Reply
5 Replies
mpboom
mpboom
Commander Lvl 3
‎02-13-2018 03:12 AM
Message 2 of 6

Re: External Control of File Name or Path (CWE ID 73)

Please provide a bit more information - no one will be able to help you with what you provided.


- Mark
0 Kudos
Reply
jayasharma8
jayasharma8
Copilot Lvl 2
‎02-14-2018 11:44 PM
Message 3 of 6

Re: External Control of File Name or Path (CWE ID 73)

This is the way we are getting input.

 

 String fileName = _request.getParameter("fileName");

 

veracode scanner has reported this flaw.

0 Kudos
Reply
Joshhua5
Joshhua5
Ground Controller Lvl 1
‎01-16-2019 06:38 PM
Message 4 of 6

Re: External Control of File Name or Path (CWE ID 73)

Anything could be inside that parameter, even a malicious filepath that actually points to a config file containing passwords. You'll need to validate the string, make sure it contains things that you'd expect. 

0 Kudos
Reply
crocen98
crocen98
Copilot Lvl 2
2 weeks ago
Message 5 of 6

Re: External Control of File Name or Path (CWE ID 73)

I am sorry, what kind of validation will veracode understand?
Can you give a code example?
Thank you in advance!

0 Kudos
Reply
fire-eggs
fire-eggs
Commander Lvl 2
2 weeks ago
Message 6 of 6

Re: External Control of File Name or Path (CWE ID 73)

Read this.

 

Please follow-up to let us know how you made out. For good karma, mark a reply as the answer if it helped!

0 Kudos
Reply

Other ways to get help

GitHub Help Contact GitHub
@GitHubHelp GitHub Enterprise Support

More places to learn

Information
Blogs

Community areas