Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-8448

CodeQL : Uncontrolled data used in path expression. Security check

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 3.3.10
    • 3.3.10
    • Core
    • None
    • Unknown

    Description

      CodeQL : Uncontrolled data used in path expression. Security check

      The CodeQL for the build is failing due to security issue check   . The build was triggered by push which  did a refactor for the file  AttachmentUtil   

      As we can see the line which is causing the CodeQL fail is 187 which is as below

      bos.setOutputDir(new File((String)directory));

       

      but the "directory" by an given by the caller which the class has not control over.
      if we see a sample of test cases usage of the AttachmentDeserializer.ATTACHMENT_DIRECTORY
      we can see System.getProperty("java.io.tmpdir") which is on linux
      /tmp and by applying the rule, it will end up with tmp

      I have reported a false positive issue to the CodeQL project
      Also please take a look at the security issues from the LGTM.com site security error list

      and the issue is reported there

       

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            alanmehio Alan Mehio
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment