Question

我在java源上运行IBM AppScan工具。它在“pageFile = new File（fileName）;”行下的“PathTraversal - Promote to Vulnerability”中列出了一些发现。我能否知道解决这个问题的解决方案是什么？

package mig;

import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.nio.channels.FileChannel;

import mig.one.GenConstants;
import mig.one.GenInit;
import mig.one.GenException;
import mig.one.GenExpConstants;
import mig.one.GenLogger;

public class Generate {

    private static final String EVENT_TYPE  ="EXTENSION_XML";

    private static GenLogger logger = GenLogger.getLogger();

    public static void main(String[] args) throws GenException {

        GenInit genMigration = new GenInit(args);
        genMigration.parseArguments(args);

        File pageFile=null;
        String fileName = null;

        try{
            if(args[1].equalsIgnoreCase("-f")){

                fileName    =   GenConstants.MAP_FILE;
                logger.logDebug(EVENT_TYPE, "Menu Map File name ::"+ fileName);

                pageFile = new File(fileName);
                }
            }
            catch(GenException ume) {

            logger.logError(EVENT_TYPE, ume.getMessage(),ume);
            throw ume;
            } catch(Throwable th)   {

            logger.logError(EVENT_TYPE, th.getMessage(), th);
            throw new GenException(GenExpConstants.EM_UNKNOWN, new String[]{th.getMessage()},th);
            } finally {
            logger.logDebug(EVENT_TYPE, "####################################################\n");
            }
    }
}

在上面的代码中 GenConstants.MAP_FILE = System.getProperty（“user.dir”）+ File.separator +“file.cfg”;

Answer 1

您需要检查此Finding的跟踪数据。根据您的更新，我认为污点来自user.dir属性，并且该值未被清理。

修正AppScan Tool中的PathTraversal

1 个答案: