ocaml.lang.security.filenameconcat.ocamllint-filenameconcat
semgrep
Author
unknown
Download Count*
License
When attacker supplied data is passed to Filename.concat directory traversal attacks might be possible.
Run Locally
Run in CI
Defintion
rules:
- id: ocamllint-filenameconcat
pattern: Filename.concat
message: When attacker supplied data is passed to Filename.concat directory
traversal attacks might be possible.
languages:
- ocaml
severity: WARNING
metadata:
category: security
references:
- https://v2.ocaml.org/api/Filename.html
technology:
- ocaml
cwe: "CWE-35: Path Traversal"
confidence: LOW
likelihood: MEDIUM
impact: MEDIUM
subcategory:
- audit
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Other
Examples
filenameconcat.ml
(* ruleid:ocamllint-filenameconcat *)
let ofile = Filename.concat "test" "../data" in
Printf.printf "%s\n" ofile
Short Link: https://sg.run/x818y