RSTR-PTH-003 — Java new File(servletRequest.getParameter(...))
Summary
A Java servlet builds a File (or Paths.get) using request
parameters directly. The classic input ../../etc/passwd (or
..\..\windows\win.ini on Windows) lets an attacker escape any
intended directory.
Severity
High.
Languages
Java, Kotlin.
What rastray flags
File f = new File(request.getParameter("name")); // ← flagged
File f = new File("uploads/" + request.getParameter("name")); // ← flagged
Path p = Paths.get(request.getParameter("name")); // ← flagged
What rastray deliberately does not flag
Paths.get(SAFE_DIR, FilenameUtils.getName(input)).- Reads of constant paths.
How to fix it
Canonicalize the resolved path and verify it stays inside the
intended base. With Apache Commons FilenameUtils:
import java.io.File;
import org.apache.commons.io.FilenameUtils;
Path base = Paths.get("/var/app/uploads").toRealPath();
String name = FilenameUtils.getName(request.getParameter("name")); // strips dirs
Path target = base.resolve(name).toRealPath();
if (!target.startsWith(base)) {
throw new SecurityException("path escape");
}
return Files.readAllBytes(target);
If you can't take Commons-IO as a dependency, hand-roll the strip
with Paths.get(name).getFileName().