External Control of File Name or Path security issue
I have a code
File file = new File(fileName)
This fileName i am preparing from other details. However, I am getting
External Control of File Name or Path
flaw when I submit my code to security scan tool 'Vera Code'. Can someone please help me how to resolve this.
Answer
The reported issue means that someone could be able to modify the fileName from outside, e.g. by user input or by modifying a configuration file. See also CWE-73: External Control of File Name or Path.
This leads to a security flaw where an attacker could gain access to any files on your filesystem and either read files or even overwrite files other than the intended ones.
You need to check what the source of the various parts of your fileName is. For example, suppose the user is able to provide the extn through your web UI. If you use the user input in your application without further validation, the user could be able to access files which he should not:
User input: extn="/../etc/passwd"
Resulting fileName: "/certificateId docTypeLongName_FileId/../etc/passwd"
To solve this, you can use validation to make sure that the input does not contain specific strings like .., or you can use whitelists (if the possible input range is limited) to make sure that only well known values are submitted.