| Project Name | CID | Checker | Category | Developer Description |
|---|---|---|---|---|
| FenixEdu/fenixedu-academic | 94425 | PATH_MANIPULATION | High impact security | Allowing users to specify a file to be downloaded in the Application Server's file system, leading to information leakage. |
119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 |
if (photo.getRawSize() > MAX_RAW_SIZE) { actionMessages.add("fileTooLarge", new ActionMessage("errors.fileTooLarge")); saveMessages(request, actionMessages); photo.deleteTemporaryFiles(); return prepare(mapping, actionForm, request, response); } try { photo.processImage(); } catch (UnableToProcessTheImage e) { actionMessages.add("unableToProcessImage", new ActionMessage("errors.unableToProcessImage")); saveMessages(request, actionMessages); photo.deleteTemporaryFiles(); return prepare(mapping, actionForm, request, response); } photo.createTemporaryFiles(); request.setAttribute("preview", true); request.setAttribute("photo", photo); return mapping.findForward("confirm"); } public ActionForward preview(ActionMapping mapping, ActionForm actionForm, HttpServletRequest request, HttpServletResponse response) throws Exception { |
<< 1. "javax.servlet.ServletRequest.getParameter(java.lang.String)" returns data from a servlet request.
143 |
String filename = request.getParameter("file"); |
<<< CID 94425: High impact security PATH_MANIPULATION <<< 2. Constructing a path using the tainted value "filename". This may allow an attacker to access, modify, or test the existence of critical or sensitive files.
144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 |
FileInputStream file = new FileInputStream(filename); DataOutputStream output = new DataOutputStream(response.getOutputStream()); output.write(ByteStreams.toByteArray(file)); output.close(); return null; } public ActionForward save(ActionMapping mapping, ActionForm actionForm, HttpServletRequest request, HttpServletResponse response) throws Exception { PhotographUploadBean photo = getRenderedObject(); RenderUtils.invalidateViewState(); UploadOwnPhoto.run(ByteStreams.toByteArray(photo.getFileInputStream()), ContentType.getContentType(photo.getContentType())); final Person person = Authenticate.getUser().getPerson(); request.setAttribute("personBean", new PersonBean(person)); EmergencyContactBean emergencyContactBean = new EmergencyContactBean(person); request.setAttribute("emergencyContactBean", emergencyContactBean); return mapping.findForward("visualizePersonalInformation"); } public ActionForward cancel(ActionMapping mapping, ActionForm actionForm, HttpServletRequest request, HttpServletResponse response) throws Exception { request.setAttribute("personBean", new PersonBean(AccessControl.getPerson())); request.setAttribute("emergencyContactBean", new EmergencyContactBean(AccessControl.getPerson())); return mapping.findForward("visualizePersonalInformation"); } |
| 1. tainted_source | UploadPhotoDA.java:143 | |
| 1. tainted_source | UploadPhotoDA.java:143 | |
| 1. tainted_source | UploadPhotoDA.java:143 | |
| 2. sink | UploadPhotoDA.java:144 | |
| 2. sink | UploadPhotoDA.java:144 | |
| 2. sink | UploadPhotoDA.java:144 |