Cadet 3rd Class
Cadet 3rd Class
651 views

java path manipulation

Jump to solution

Fortify is giving me a Path Manipulation risk for the following line of code: 

 final File csvFile = File.createTempFile(RandomStringUtils.randomAlphanumeric(8), ".csv", FileUtils.getTempDirectory());

The filename itself is randomly generated with no user input and the temp directory itself is coming from org.apache.commons-io returning "System.getProperty("java.io.tmpdir").  

Does Fortify expect for me to run a whitelist scan on the randomly created file name?

0 Likes
1 Solution

Accepted Solutions
Commander Commander
Commander

Might make sense. java.io.tmpdir may be arbitrarily defined. Fortify likes to flag each, even smallest, possibility of manipulating inputs, redefining system properties may be one of them. Actual solution depends on your use case though.

View solution in original post

0 Likes
1 Reply
Commander Commander
Commander

Might make sense. java.io.tmpdir may be arbitrarily defined. Fortify likes to flag each, even smallest, possibility of manipulating inputs, redefining system properties may be one of them. Actual solution depends on your use case though.

View solution in original post

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.