Unsanitized use of FileUpload filename

• Rule ID: java_lang_file_upload_filename
• Languages: java
• Source: file_upload_filename.yml

Description

Using the filename from FileUpload without sanitization can lead to path traversal attacks. This vulnerability occurs when an attacker manipulates the filename to access files or directories that are outside of the intended directory.

Remediations

• Do not use unsanitized filenames from FileUpload directly. Attackers can exploit these filenames to navigate the server's directory structure.
• Do sanitize user input when handling file paths. Use methods like FilenameUtils.getName() to ensure the path is safe and cannot be manipulated to traverse directories.

  ServletFileUpload upload = new ServletFileUpload();
  List<FileItem> fileItems = upload.parseRequest(request);
  
  for (FileItem item : fileItems) {
    String filename = FilenameUtils.getName(item.getName());
    // ...
  }

References

• OWASP path traversal

Associated CWE

• CWE-73: External Control of File Name or Path

OWASP Top 10

• A04:2021 - Insecure Design

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_file_upload_filename

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_file_upload_filename