Modify rule S2083(mult. lang): Add absolute path joining pitfall (APPSEC-213) (#1370)

rules/S2083/common/pitfalls/oob-specific-path-joining.adoc

@@ -0,0 +1,9 @@
+==== Do not use {joining_func} as a validator
+
+As specified in the {joining_docs}[official documentation], if the given
+parameter is an absolute path, the base object from which the method is called
+is discarded and is not included in the resulting string.
+
+This means that including untrusted data in the parameter and using the
+resulting string for file operations may lead to a path traversal vulnerability.
+

rules/S2083/common/pitfalls/path-joining.adoc

@@ -0,0 +1,8 @@
+==== Do not use {joining_func} as a validator
+
+The {joining_docs}[official documentation] states that if any argument other
+than the first is an absolute path, any previous argument is discarded.
+
+This means that including untrusted data in any of the parameters and using the
+resulting string for file operations may lead to a path traversal vulnerability.
+

rules/S2083/common/pitfalls/python-path-join.adoc

@@ -1,12 +0,0 @@
-==== os.path.join(path, \*paths)
-
-This function should not be used as a validator.
-
-The standard library states: *"if a component is an absolute path, all previous
-components are discarded, and linking continues from the component with the
-absolute path."*
-
-This means that including untrusted data in any of the path parameters can lead
-to a full or partial path traversal vulnerability.
-
-https://blog.sonarsource.com/10-unknown-security-pitfalls-for-python/[This Sonar blog post] talks about this issue.

rules/S2083/csharp/how-to-fix-it/dotnet.adoc

@@ -78,3 +78,7 @@ The validation code should be tested to ensure that it cannot be impacted by thi
 issue.
 
 https://github.com/aws/aws-sdk-java/security/advisories/GHSA-c28r-hw5m-5gv3[Here is a real-life example of this vulnerability.]
+
+:joining_docs: https://learn.microsoft.com/en-us/dotnet/api/system.io.path.combine
+:joining_func: Path.Combine
+include::../../common/pitfalls/path-joining.adoc[]

rules/S2083/java/how-to-fix-it/java-se.adoc

@@ -83,3 +83,9 @@ The validation code should be tested to ensure that it cannot be impacted by thi
 issue.
 
 https://github.com/aws/aws-sdk-java/security/advisories/GHSA-c28r-hw5m-5gv3[Here is a real-life example of this vulnerability.]
+
+=== Pitfalls
+
+:joining_docs: https://docs.oracle.com/javase/8/docs/api/java/nio/file/Path.html
+:joining_func: java.nio.file.Path.resolve
+include::../../common/pitfalls/oob-specific-path-joining.adoc[]

rules/S2083/javascript/how-to-fix-it/express.adoc

@@ -38,3 +38,11 @@ function (req, res) {
 include::../../common/fix/function-based-validation.adoc[]
 
 include::../../common/fix/self-validation.adoc[]
+
+=== Pitfalls
+
+:joining_docs: https://nodejs.org/api/path.html#pathresolvepaths
+:joining_func: path.resolve
+include::../../common/pitfalls/path-joining.adoc[]
+
+

rules/S2083/javascript/how-to-fix-it/node.adoc

@@ -75,3 +75,7 @@ return value. +
 The validation code should be tested to ensure that it cannot be impacted by
 this issue.
 
+:joining_docs: https://nodejs.org/api/path.html#pathresolvepaths
+:joining_func: path.resolve
+include::../../common/pitfalls/path-joining.adoc[]
+

rules/S2083/python/how-to-fix-it/flask.adoc

@@ -46,5 +46,8 @@ include::../../common/fix/function-based-validation.adoc[]
 
 === Pitfalls
 
-include::../../common/pitfalls/python-path-join.adoc[]
+:joining_docs: https://docs.python.org/3/library/os.path.html#os.path.join
+:joining_func: os.path.join
+include::../../common/pitfalls/path-joining.adoc[]
 
+If you want to learn more about this pitfall, read https://blog.sonarsource.com/10-unknown-security-pitfalls-for-python/[our blog post about it].