mirror of
https://github.com/github/codeql.git
synced 2025-12-17 01:03:14 +01:00
660e6d7085
The Java recommendation example for the "Partial path traversal vulnerability from remote" query doesn't seem right to me. Indeed, the following statement doesn't compile, since `dir.getCanonicalPath()` returns a String: ``` dir.getCanonicalPath().toPath() ``` Maybe the author wanted to state `dir.getCanonicalFile().toPath()`, which would compile, but is useless compared to `dir.getCanonicalPath()`. Moreover, `parent.getCanonicalFile().toPath()` or `parent.getCanonicalPath()` will **not** be slash-terminated, contrary to what the description says. From what I can see (and test), the correct fix is to concatenate `File.separator` to the parent canonical path.