Possible path traversal vulnerability detected

Description

Allowing unsanitized user input in path resolution methods means an attacker could gain access to files and folders outside of the intended scope.

Remediations

❌ Avoid wherever possible

✅ Sanitize user input when resolving paths, for example: Use FilenameUtils.getName() to mitigate against unwanted patterns in the path (such as \..\..)

  public class Cls extends HttpServlet
{

public void handleRequest(HttpServletRequest request, HttpServletResponse response)
{
String image = request.getParameter("user_profile_picture");
File file = new File("user/profile/" + FilenameUtils.getName(image));
}
}

Resources

Associated CWE

OWASP Top 10

Ready to take the next step? Join the Bearer Cloud waitlist.