0

I've got two issues sonar is sad about. First one in a line of code with relative path traversal issue which looks like this: 

File f = new File(MY_DIR + filename);

Where filename is a parameter I've got from a request.
The second line is about an absolute path traversal issue which looks like the same except there is no MY_DIR in front.

I've added validation checks after these lines using a method which insures that the file is inside the MY_DIR directory using canonical paths, so now it looks like this: 

...
File rootDirFile = new File(MY_DIR);
        if (validateFileName(rootDirFile, f)) {
...
private static boolean validateFileName(File targetDir, File fileToCheck) throws IOException {
    String targetDirPath = targetDir.getCanonicalPath() + File.separator;
    String pathToCheck = fileToCheck.getCanonicalPath();

    return pathToCheck.startsWith(targetDirPath);
}

But sonar is still saying I've got a vulnerability at those two lines. How to tell it I've found the solution?

Anton Zvonovsky
  • 313
  • 2
  • 6
  • 16

2 Answers2

2

Mithfindel is right. Your only option is to mark the issues "Won't Fix" or if that's not available in your version of the platorm, "False Positive".

There is no "correct code solution" for these security rules. That's because they're designed to alert a human security auditor to all potential problems. It's then up to the auditor to examine the code and either close the issue ("Won't Fix") or raise it with the appropriate team.

You can find more in the docs.

G. Ann - SonarSource Team
  • 22,346
  • 4
  • 40
  • 76
1

Depending on your version, you can mark the issue as "Won't fix" (meaning that the debt from this issue is accepted - since 5.1) or "False positive" (meaning that you think that the analysis engine is wrong - before 5.1).

Mithfindel
  • 4,553
  • 1
  • 23
  • 32