Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
ChandraReddy1 Absent Member.
Absent Member.
15852 views

Fortify - Path Manipulation issues in Java

I am getting Path Manipulation issues on the following statements of my Java code when I run Fortify tool on my web-application.  Below are the different sample statements where it throws HIGH priority security vulnerabilities. Please note that the filePath that is being passed is an absolute path but not relative. We have a requirement to read files that are placed in a system directory, hence I have depend on java.io file system package. 

Please suggest me the resolution to avoid security issues on below statements.

File file = new File(filePath)
FileReader fileReader = new FileReader(filePath);
FileInputSteam inputStream = new FileInputSteam(new File(filePath));
String userHome = System.getProperty("user.home");
Path path = Paths.get(filePath);

0 Likes
2 Replies
TrantBatey
New Member.

Re: Fortify - Path Manipulation issues in Java

I have a solution to the Fortify Path Manipulation issues.

 What it is complaining about is that if you take data from an external source, then an attacker can use that source to manipulate your path. Thus, enabling the attacker do delete files or otherwise compromise your system.

 The suggested remedy to this problem is to use a whitelist of trusted directories as valid inputs; and, reject everything else.

 This solution is not always viable in a production environment. So, I suggest an alternative solution. Parse the input for a whitelist of acceptable characters. Reject from the input, any character you don't want in the path. It could be either removed or replaced.

 Below is an example. This does pass the Fortify review. It is important to remember here to return the literal and not the char being checked. Fortify keeps track of the parts that came from the original input. If you use any of the original input, you may still get the error.

 public class CleanPath {

     public static String cleanString(String aString) {

        if (aString == null) return null;

        String cleanString = "";

        for (int i = 0; i < aString.length(); ++i) {

            cleanString += cleanChar(aString.charAt(i));

        }

        return cleanString;

    }

 

    private static char cleanChar(char aChar) {

       // 0 - 9

       for (int i = 48; i < 58; ++i) {

              if (aChar == i) return (char) i;

       }

      

       // 'A' - 'Z'

       for (int i = 65; i < 91; ++i) {

              if (aChar == i) return (char) i;

       }

      

       // 'a' - 'z'

       for (int i = 97; i < 123; ++i) {

              if (aChar == i) return (char) i;

       }

      

       // other valid characters

        switch (aChar) {

            case '/':

                return '/';

            case '.':

                return '.';

            case '-':

                return '-';

            case '_':

                return '_';

            case ' ':

                return ' ';

        }

        return '%';

    }

}

 

0 Likes
tsomogyi
Visitor.

Re: Fortify - Path Manipulation issues in Java

Is this a real solution? It is just rebuilding the input 'aString' so that Fortify doesn't recognize the returned string as external. That's why cleanChar uses the (ineffective) for-loops to find the char and return the loop variable (char(i)) - if it returned the input 'aChar', instead then Fortify would spot and complain that some parts still come from external source. So this solution seems just tricking Fortify instead of providing a real protection against the original problem.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.