ocaml.lang.security.filenameconcat.ocamllint-filenameconcat

semgrep

Author

unknown

Download Count*

LGPL Commons Clause

License

When attacker supplied data is passed to Filename.concat directory traversal attacks might be possible.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: ocamllint-filenameconcat
    pattern: Filename.concat
    message: When attacker supplied data is passed to Filename.concat directory
      traversal attacks might be possible.
    languages:
      - ocaml
    severity: WARNING
    metadata:
      category: security
      references:
        - https://v2.ocaml.org/api/Filename.html
      technology:
        - ocaml
      cwe: "CWE-35: Path Traversal"
      confidence: LOW
      likelihood: MEDIUM
      impact: MEDIUM
      subcategory:
        - audit
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Other

Examples

filenameconcat.ml

(* ruleid:ocamllint-filenameconcat *)
let ofile = Filename.concat "test" "../data" in
Printf.printf "%s\n" ofile

Short Link: https://sg.run/x818y