org.openrewrite.java.security.PartialPathTraversalVulnerability
_Replaces dir.getCanonicalPath().startsWith(parent.getCanonicalPath(), which is vulnerable to partial path traversal attacks, with the more secure dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath()).
To demonstrate this vulnerability, consider "/usr/outnot".startsWith("/usr/out"). The check is bypassed although /outnot is not under the /out directory. It's important to understand that the terminating slash may be removed when using various String representations of the File object. For example, on Linux, println(new File("/var")) will print /var, but println(new File("/var", "/") will print /var/; however, println(new File("/var", "/").getCanonicalPath()) will print /var._
- CWE-22
GitHub, Issue Tracker, Maven Central
- groupId: org.openrewrite.recipe
- artifactId: rewrite-java-security
- version: 2.0.1
{% tabs %} {% tab title="A.java" %}
{% code title="A.java" %}
import java.io.File;
import java.io.IOException;
class A {
void foo(File dir, File parent) throws IOException {
if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath())) {
throw new IOException("Invalid directory: " + dir.getCanonicalPath());
}
}
}{% endcode %}
{% code title="A.java" %}
import java.io.File;
import java.io.IOException;
class A {
void foo(File dir, File parent) throws IOException {
if (!dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath())) {
throw new IOException("Invalid directory: " + dir.getCanonicalPath());
}
}
}{% endcode %}
{% endtab %} {% tab title="Diff" %} {% code %}
--- A.java
+++ A.java
@@ -6,1 +6,1 @@
class A {
void foo(File dir, File parent) throws IOException {
- if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath())) {
+ if (!dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath())) {
throw new IOException("Invalid directory: " + dir.getCanonicalPath());{% endcode %} {% endtab %} {% endtabs %}
This recipe has no required configuration options. It can be activated by adding a dependency on org.openrewrite.recipe:rewrite-java-security:2.0.1 in your build file or by running a shell command (in which case no build changes are needed):
{% tabs %}
{% tab title="Gradle" %}
{% code title="build.gradle" %}
plugins {
id("org.openrewrite.rewrite") version("6.1.4")
}
rewrite {
activeRecipe("org.openrewrite.java.security.PartialPathTraversalVulnerability")
}
repositories {
mavenCentral()
}
dependencies {
rewrite("org.openrewrite.recipe:rewrite-java-security:2.0.1")
}{% endcode %} {% endtab %} {% tab title="Maven POM" %} {% code title="pom.xml" %}
<project>
<build>
<plugins>
<plugin>
<groupId>org.openrewrite.maven</groupId>
<artifactId>rewrite-maven-plugin</artifactId>
<version>5.2.4</version>
<configuration>
<activeRecipes>
<recipe>org.openrewrite.java.security.PartialPathTraversalVulnerability</recipe>
</activeRecipes>
</configuration>
<dependencies>
<dependency>
<groupId>org.openrewrite.recipe</groupId>
<artifactId>rewrite-java-security</artifactId>
<version>2.0.1</version>
</dependency>
</dependencies>
</plugin>
</plugins>
</build>
</project>
{% endcode %} {% endtab %}
{% tab title="Maven Command Line" %} {% code title="shell" %} You will need to have Maven installed on your machine before you can run the following command.
mvn -U org.openrewrite.maven:rewrite-maven-plugin:run \
-Drewrite.recipeArtifactCoordinates=org.openrewrite.recipe:rewrite-java-security:RELEASE \
-Drewrite.activeRecipes=org.openrewrite.java.security.PartialPathTraversalVulnerability{% endcode %} {% endtab %} {% endtabs %}
The community edition of the Moderne platform enables you to easily run recipes across thousands of open-source repositories.
Please contact Moderne for more information about safely running the recipes on your own codebase in a private SaaS.