Skip to content

Fix partial path traversal Java example #11899

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 17, 2023
Merged

Fix partial path traversal Java example #11899

merged 1 commit into from
Jan 17, 2023

Conversation

ataillefer
Copy link
Contributor

The Java recommendation example for the "Partial path traversal vulnerability from remote" query doesn't seem right to me. Indeed, the following statement doesn't compile, since dir.getCanonicalPath() returns a String:

dir.getCanonicalPath().toPath()

Maybe the author wanted to state dir.getCanonicalFile().toPath(), which would compile, but is useless compared to dir.getCanonicalPath().

Moreover, parent.getCanonicalFile().toPath() or parent.getCanonicalPath() will not be slash-terminated, contrary to what the description says. From what I can see (and test), the correct fix is to concatenate File.separator to the parent canonical path.

This is linked to #9742.

@ataillefer
Fix partial path traversal Java example
660e6d7 
The Java recommendation example for the "Partial path traversal vulnerability from remote" query doesn't seem right to me. Indeed, the following statement doesn't compile, since `dir.getCanonicalPath()` returns a String:
```
dir.getCanonicalPath().toPath()
```
Maybe the author wanted to state `dir.getCanonicalFile().toPath()`, which would compile, but is useless compared to `dir.getCanonicalPath()`.

Moreover, `parent.getCanonicalFile().toPath()` or `parent.getCanonicalPath()` will **not** be slash-terminated, contrary to what the description says.
From what I can see (and test), the correct fix is to concatenate `File.separator` to the parent canonical path.
@ataillefer ataillefer requested a review from a team as a code owner January 16, 2023 20:15
atorralba
atorralba approved these changes Jan 17, 2023
View reviewed changes
Copy link
Contributor

@atorralba atorralba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch! Your suggestion is also consistent with the test cases, so I'd say you're right. Thanks for your contribution!

@github-actions
Copy link
Contributor

QHelp previews:

@smowton smowton merged commit 2942598 into github:main Jan 17, 2023
@JLLeitschuh
Copy link
Contributor

JLLeitschuh commented Mar 31, 2023
edited
Loading

This isn't correct. This should have used toPath().normalize()

@JLLeitschuh JLLeitschuh mentioned this pull request Mar 31, 2023
Merged
@JLLeitschuh
Copy link
Contributor

Resolved by #12735

JLLeitschuh added a commit to JLLeitschuh/ql that referenced this pull request Mar 31, 2023
@JLLeitschuh
Fix partial path traversal Java example Again
0bd6587 
The original wouldn't compile, and the fix made by github#11899 is sub-optimal.
This keeps the entire comparision using the Java `Path` object, which is optimal.

Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
JLLeitschuh added a commit to JLLeitschuh/ql that referenced this pull request Mar 31, 2023
@JLLeitschuh
Fix partial path traversal Java example Again
6da65b7 
The original wouldn't compile, and the fix made by github#11899 is sub-optimal.
This keeps the entire comparision using the Java `Path` object, which is optimal.

Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
JLLeitschuh added a commit to JLLeitschuh/ql that referenced this pull request Mar 31, 2023
@JLLeitschuh
Fix partial path traversal Java example Again
90d80ed 
The original wouldn't compile, and the fix made by github#11899 is sub-optimal.
This keeps the entire comparision using the Java `Path` object, which is optimal.

Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
JLLeitschuh added a commit to JLLeitschuh/ql that referenced this pull request Apr 1, 2023
@JLLeitschuh
Fix partial path traversal Java example Again
e641505 
The original wouldn't compile, and the fix made by github#11899 is sub-optimal.
This keeps the entire comparision using the Java `Path` object, which is optimal.

Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
JLLeitschuh added a commit to JLLeitschuh/ql that referenced this pull request Apr 1, 2023
@JLLeitschuh
Fix partial path traversal Java example Again
0d774a6 
The original wouldn't compile, and the fix made by github#11899 is sub-optimal.
This keeps the entire comparision using the Java `Path` object, which is optimal.

Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
@ataillefer
Copy link
Contributor Author

Thanks @JLLeitschuh

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smowton smowton smowton approved these changes

@atorralba atorralba atorralba approved these changes

Assignees
No one assigned
Labels
documentation Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ataillefer @JLLeitschuh @smowton @atorralba