How to fix Findbugs security warning for 'Potential Path Traversal (File Read)'

how to fix path traversal in java
path traversal vulnerability fix in java
read a file whose location might be specified by user input sonar
findsecbugs
make sure this file handling is safe here
file path manipulation vulnerability
arbitrary file read vulnerability
how to prevent directory traversal attack

I'm getting above warning with 'Method java.io.File reads a file whose location is specified by user input' message after running findbugs in the below code snippet.

public void removeFile(String warfileName){
    File warFile = new File(homePath + "/samples/" + warFileName + ".war");
.....
}

What would be the best way of fixing this security isssue?


As @Jeet pointed out, one solution is described into the page. Basically, it sugests to use a framework to "normalize" the user input, ie:

File file = new File("resources/images/", image); //Weak point
File file = new File("resources/images/", FilenameUtils.getName(image)); //Fix

The problem with this solution is that it introduces a dependency to your project (to Apache Commons).

So instead using FilenameUtils.getName, you could try to use java 7 Files and Path. Probably Path#getFileName() would help to fix the vunerability.

How to fix Findbugs security warning for 'Potential Path Traversal , I'm getting above warning with 'Method java.io.File reads a file whose location is specified by user input' message after running findbugs in the below code snippet  HBASE-5598 Analyse and fix the findbugs reporting by QA and add invalid bugs into findbugs-excludeFilter file; HBASE-5649 [findbugs] Fix security warning. Log In


you can use

File file = new File(FilenameUtils.getName(image));

How to fix Findbugs security warning for 'Potential Path , How to fix Findbugs security warning for 'Potential Path Traversal (File Read)'. I'm getting above warning with 'Method java.io.File reads a file whose location is  Stack Overflow for Teams is a private, secure spot for you and your coworkers to find and share information. Learn more Findbugs: Howto ignore Priority 2 and 3 warnings?


or else Path

Path target = new File("/home/jt/", 
FilenameUtils.getName(getName())).toPath();
Path source = new File("/home/jt/new/", 
FilenameUtils.getName(getName())).toPath();

Files.move(source, target, StandardCopyOption.REPLACE_EXISTING);

java - How to fix Findbugs security warning for ', i'm getting above warning 'method java.io.file reads file location specified user input' message after running findbugs in below code snippet. FindBugs is reporting one warning which points to both of the errors; neither of the SuppressWarnings is effective. And you can't place an annotation on a static initializer. I might fix this in the analysis, but it seems like a corner case.


Bug Patterns, Be sure that the correct findbugs SuppressWarnings annotation is being used. 1. import edu.umd.cs.findbugs.annotations.SuppressWarnings;  Close out the Safari tab or window that the pop-up appeared in. Open Settings on your iPhone. Toggle on Airplane Mode. The reason for toggling on Airplane Mode is to temporarily disconnect from the internet, this way you can reset Safari while blocking unwanted access to your iPhone.


Suppress FindBugs Warnings in a Java and Spring Boot Web , annotations.SuppressWarnings annotation. Just add it in the place where FindBugs reported problem, and use the appropriate bug code. You  Follow these steps to automatically diagnose and repair Windows security problems by turning on UAC, DEP protection, Windows Firewall, and other Windows security options and features. Select the Download button on this page.


Suppressing FindBugs Warnings, Fix for Bug3588379; Fixed false positive null pointer warning coming SECURITY (Abbrev: S), A use of untrusted input in a way that could  FindBugs 2.0.3 is intended to be a minor bug fix release over FindBugs 2.0.2. Although than some improvements to existing bug detectors and analysis engines, and a few new bug patterns, and some important bug fixes to the Eclipse plugin, no significant changes should be observed.