java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
98,708
Download Count*
LGPL Commons Clause
License

Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: jax-rs-path-traversal
    metadata:
      owasp:
        - A05:2017 - Broken Access Control
        - A01:2021 - Broken Access Control
      cwe:
        - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory
          ('Path Traversal')"
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#PATH_TRAVERSAL_IN
      references:
        - https://www.owasp.org/index.php/Path_Traversal
      category: security
      technology:
        - jax-rs
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: LOW
      impact: LOW
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    message: Detected a potential path traversal. A malicious actor could control
      the location of this file, to include going backwards in the directory
      with '../'. To address this, ensure that user-controlled variables in file
      paths are sanitized. You may also consider using a utility method such as
      org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file
      name from the path.
    severity: WARNING
    languages:
      - java
    pattern-either:
      - pattern: |
          $RETURNTYPE $FUNC (..., @PathParam(...) $TYPE $VAR, ...) {
            ...
            new File(..., $VAR, ...);
            ...
          }
      - pattern: |-
          $RETURNTYPE $FUNC (..., @javax.ws.rs.PathParam(...) $TYPE $VAR, ...) {
            ...
            new File(..., $VAR, ...);
            ...
          }

Examples

jax-rs-path-traversal.java

package servlets;

import java.io.File;
import java.io.FileInputStream;

import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Response;

import com.biz.org.Status;

import org.apache.commons.io.FilenameUtils;

@Path("/")
public class Cls
{
    // ruleid:jax-rs-path-traversal
    @GET
    @Path("/images/{image}")
    @Produces("images/*")
    public Response getImage(@javax.ws.rs.PathParam("image") String image) {
        File file = new File("resources/images/", image); //Weak point

        if (!file.exists()) {
            return Response.status(Status.NOT_FOUND).build();
        }

        return Response.ok().entity(new FileInputStream(file)).build();
    }

    // ok:jax-rs-path-traversal
    @GET
    @Path("/images/{image}")
    @Produces("images/*")
    public Response ok(@javax.ws.rs.PathParam("image") String image) {

        File file = new File("resources/images/", FilenameUtils.getName(image)); //Fix

        if (!file.exists()) {
            return Response.status(Status.NOT_FOUND).build();
        }

        return Response.ok().entity(new FileInputStream(file)).build();
    }
}