We are currently using axis2-kernel-1.5.6.jar and the veracode analysis found this bug in these class
1. DeploymentEngine.java (Line 381, 421, 469, 802, 816, 818)
2. DirectoryResourceLocation.java (Line 39)
3. HTTPWorker.java (Line 101 and 177)
4. ListingAgent.java (Line 123)
5. Utils.java (Line 650)
6. WarBasedWSDLLocator.java (Line 68)
Description of the bug:
This call contains a path manipulation flaw. The argument to the function is a filename constructed using user-supplied
input. If an attacker is allowed to specify all or part of the filename, it may be possible to gain unauthorized access to
files on the server, including those outside the webroot, that would be normally be inaccessible to end users. The level
of exposure depends on the effectiveness of input validation routines, if any.
is this a false positive?