hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 12:46:34 +01:00
Code Issues Packages Projects Releases Wiki Activity

add a trailing slash to the folder check in the QHelp for java/path-injection

Browse Source
This commit is contained in:
erik-krogh
2024-01-23 14:46:02 +01:00
parent 00dadeb3bf
commit 158ff0da0a
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
java/ql/src/Security/CWE/CWE-022/examples/TaintedPathGoodFolder.java
View File

@@ -7,7 +7,7 @@ public void sendUserFileGood(Socket sock, String user) {
Path filePath = publicFolder.resolve(filename).normalize().toAbsolutePath();
// GOOD: ensure that the path stays within the public folder
if (!filePath.startsWith(publicFolder)) {
if (!filePath.startsWith(publicFolder + File.separator)) {
throw new IllegalArgumentException("Invalid filename");
}
BufferedReader fileReader = new BufferedReader(new FileReader(filePath.toString()));