Adobe Cloud manager - Sonar issue - reads a file whose location might be specified by user input

Forum|Forum|4 years ago
May 4, 2021
5 replies
5489 views

Hi All,

We are seeing below issue in Sonar for below inline code, tried different approached but not able to resolve the issue:

Sonar Issue:

java/io/File.createTempFile(Ljava/lang/String;Ljava/lang/String;Ljava/io/File;)Ljava/io/File; reads a file whose location might be specified by user input

Vulnerability

Major

findsecbugs:PATH_TRAVERSAL_IN

cwe,owasp-a4,wasc

https://www.adobe.com/go/aem_cmcq_path_traversal_in_en

Code:

String fileName = pdfArray[pdfArray.length - 2];

File tempDir = Files.createTempDirectory(null).toFile();

File htmlFile = File.createTempFile(FilenameUtils.getName(fileName),PlatformConstants.HTML_SUFFIX, tempDir);

Thanks in advance

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

SureshDhulipudi

Community Advisor

Did you try creating a separate method for createFile

static File createTempDir(File parentDir) throws IOException {
return Files.createTempDirectory(<param1>, <param2>,<param3>);
}

A

Abinash

We tried applying the above mentioned suggestions but still its showing the vulnerability in Sonar.

Error:::reads a file whose location might be specified by user input Vulnerability

J

JoseGuzman1

Hello, were you able to solve the problem? I find myself with the same problem, the adaptations have already been added according to the documentation and it keeps showing me the error.

vjleo94

Hi,

Were you able to find a solution for this ?

Please share.

Best regards,

Vijaya Kumar A

A

ancara

Hello @1905403

Anyone could share solution for this? Regards!

daniel-strmecki

Community Advisor and Adobe Champion

Hi @toimrank,

this warning suggests a cross-site scripting vulnerability. Are you creating the fileName from any user-provided parameters, like GET params in a Sling Servlet?

Good luck,

Daniel

A

Ana_BelénCa

Hi @daniel-strmecki ,

Thanks for your support, it is not my case. It is a private method with local params.

Regards,

Ana.

daniel-strmecki

Community Advisor and Adobe Champion

Hi @ana_belénca,

not sure how "smart" this rule in SonarQube is, but in more advanced vulnerability scanning tools like Snyk would check all the places where you call the method and if you are passing any user-provided params.

Good luck,

Daniel

kautuk_sahni

Community Manager

@toimrank Did you find the suggestions helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you've discovered a solution yourself, we would appreciate it if you could share it with the community. Thank you!

Kautuk Sahni