Expand my Community achievements bar.

Adobe Cloud manager - Sonar issue - reads a file whose location might be specified by user input

Avatar

Level 3

Hi All,

 

We are seeing below issue in Sonar for below inline code, tried different approached but not able to resolve the issue:

 

Sonar Issue:

java/io/File.createTempFile(Ljava/lang/String;Ljava/lang/String;Ljava/io/File;)Ljava/io/File; reads a file whose location might be specified by user input

Vulnerability

Major

 

findsecbugs:PATH_TRAVERSAL_IN

cwe,owasp-a4,wasc

https://www.adobe.com/go/aem_cmcq_path_traversal_in_en

 

 

Code:

String fileName = pdfArray[pdfArray.length - 2];

File tempDir = Files.createTempDirectory(null).toFile();

File htmlFile = File.createTempFile(FilenameUtils.getName(fileName),PlatformConstants.HTML_SUFFIX, tempDir);

 

Thanks in advance

2 Replies

Avatar

Community Advisor

Did you try creating a separate method for createFile

 

static File createTempDir(File parentDir) throws IOException {
return Files.createTempDirectory(<param1>, <param2>,<param3>);
}

Avatar

Level 1

We tried applying the above mentioned suggestions but still its showing the vulnerability in Sonar.

Error:::reads a file whose location might be specified by user input Vulnerability

page footer