0

We are trying to fix some issue reported by checkmarx, I have to say Stored xxx serial issue are hard to find a solution.

About this one, We have following code

PreparedStatement ps = conn.prepareStatement(sql);
ResultSet rs = ps.executeQuery();
if (rs.next()) {
entity.setFilePath(org.owasp.encoder.Encode.forJava(rs.getString("FilePath"))
}
rs.close();
ps.close();

return entity;

Then I use entity like this:

entity = dao.getEntity();
inputStream = new FileInputStream(entity.getFilePath());

Checkmarx still report issue at inputSteam line but I already encode it before return entity. How can I solve issue like this?

securecodeninja
  • 2,497
  • 3
  • 16
  • 22
Vincent Chen
  • 245
  • 2
  • 6
  • 13

1 Answers1

0

Output encoding the file path may not necessarily help you prevent path traversal. Your SAST solution is assuming that the data from the DB is tainted and so one way to mitigate this risk is to replace string of potentially malicious characters

if (rs.next()) {
   entity.setFilePath(rs.getString("FilePath").replace("\\",""))
}

Another way is to just store the filename (that is if the path are predetermined) and the path canonicalized with the getCanonicalPath method

securecodeninja
  • 2,497
  • 3
  • 16
  • 22