Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-8448

CodeQL : Uncontrolled data used in path expression. Security check

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.3.10
    • Fix Version/s: 3.3.10
    • Component/s: Core
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      CodeQL : Uncontrolled data used in path expression. Security check

      The CodeQL for the build is failing due to security issue check   . The build was triggered by push which  did a refactor for the file  AttachmentUtil   

      As we can see the line which is causing the CodeQL fail is 187 which is as below

      bos.setOutputDir(new File((String)directory));

       

      but the "directory" by an given by the caller which the class has not control over.
      if we see a sample of test cases usage of the AttachmentDeserializer.ATTACHMENT_DIRECTORY
      we can see System.getProperty("java.io.tmpdir") which is on linux
      /tmp and by applying the rule, it will end up with tmp

      I have reported a false positive issue to the CodeQL project
      Also please take a look at the security issues from the LGTM.com site security error list

      and the issue is reported there

       

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              alanmehio Alan Mehio
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: