Adobe Experience Manager Sites & More

toimrank · 5/4/21

Hi All,

We are seeing below issue in Sonar for below inline code, tried different approached but not able to resolve the issue:

Sonar Issue:

java/io/File.createTempFile(Ljava/lang/String;Ljava/lang/String;Ljava/io/File;)Ljava/io/File; reads a file whose location might be specified by user input

Vulnerability

Major

findsecbugs:PATH_TRAVERSAL_IN

cwe,owasp-a4,wasc

https://www.adobe.com/go/aem_cmcq_path_traversal_in_en

Code:

String fileName = pdfArray[pdfArray.length - 2];

File tempDir = Files.createTempDirectory(null).toFile();

File htmlFile = File.createTempFile(FilenameUtils.getName(fileName),PlatformConstants.HTML_SUFFIX, tempDir);

Thanks in advance

SureshDhulipudi · 5/4/21

Did you try creating a separate method for createFile

static File createTempDir(File parentDir) throws IOException {
return Files.createTempDirectory(<param1>, <param2>,<param3>);
}

Abinash · 3/22/22

We tried applying the above mentioned suggestions but still its showing the vulnerability in Sonar.

Error:::reads a file whose location might be specified by user input Vulnerability

JoseGuzman1 · 8/28/23

Hello, were you able to solve the problem? I find myself with the same problem, the adaptations have already been added according to the documentation and it keeps showing me the error.

vjleo94 · 10/31/24

Hi,

Were you able to find a solution for this ?

Please share.

Best regards,

Vijaya Kumar A

ancara · 11/27/24

Hello @All

Anyone could share solution for this? Regards!

daniel-strmecki · 11/27/24

Hi @toimrank,

this warning suggests a cross-site scripting vulnerability. Are you creating the fileName from any user-provided parameters, like GET params in a Sling Servlet?

Good luck,

Daniel

Ana_BelénCa · 11/27/24

Hi @daniel-strmecki ,

Thanks for your support, it is not my case. It is a private method with local params.

Regards,

Ana.

daniel-strmecki · 11/27/24

Hi @Ana_BelénCa,

not sure how "smart" this rule in SonarQube is, but in more advanced vulnerability scanning tools like Snyk would check all the places where you call the method and if you are passing any user-provided params.

Good luck,

Daniel

kautuk_sahni · 12/16/24

@toimrank Did you find the suggestions helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you've discovered a solution yourself, we would appreciate it if you could share it with the community. Thank you!

Kautuk Sahni

ancara · 12/16/24

Hello @kautuk_sahni

Finally we have to refactor all code, so we have not fixed this error. We cannot add a possible solution.

Regards,

Ana

Adobe Experience Manager Sites & More

Adobe Cloud manager - Sonar issue - reads a file whose location might be specified by user input

Kautuk Sahni

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe