Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.

Adobe Cloud manager - Sonar issue - reads a file whose location might be specified by user input

Avatar

Level 3

Hi All,

 

We are seeing below issue in Sonar for below inline code, tried different approached but not able to resolve the issue:

 

Sonar Issue:

java/io/File.createTempFile(Ljava/lang/String;Ljava/lang/String;Ljava/io/File;)Ljava/io/File; reads a file whose location might be specified by user input

Vulnerability

Major

 

findsecbugs:PATH_TRAVERSAL_IN

cwe,owasp-a4,wasc

https://www.adobe.com/go/aem_cmcq_path_traversal_in_en

 

 

Code:

String fileName = pdfArray[pdfArray.length - 2];

File tempDir = Files.createTempDirectory(null).toFile();

File htmlFile = File.createTempFile(FilenameUtils.getName(fileName),PlatformConstants.HTML_SUFFIX, tempDir);

 

Thanks in advance

3 Replies

Avatar

Community Advisor

Did you try creating a separate method for createFile

 

static File createTempDir(File parentDir) throws IOException {
return Files.createTempDirectory(<param1>, <param2>,<param3>);
}

Avatar

Level 1

We tried applying the above mentioned suggestions but still its showing the vulnerability in Sonar.

Error:::reads a file whose location might be specified by user input Vulnerability

Avatar

Level 1

Hello, were you able to solve the problem? I find myself with the same problem, the adaptations have already been added according to the documentation and it keeps showing me the error.