Add Kotlin rule description, minor java description change

2025-03-27 09:37:45 +01:00 · 2025-03-27 09:37:45 +01:00 · 6bdb560e7c
commit 6bdb560e7c
parent 842cfdf9f9
5 changed files with 143 additions and 38 deletions
--- a/rules/S6549/java/how-to-fix-it/java-io-api.adoc
+++ b/rules/S6549/java/how-to-fix-it/java-io-api.adoc
@ -1,4 +1,4 @@
-== How to fix it in Java SE
+== How to fix it in Java I/O API

 === Code examples

@ -16,7 +16,7 @@ public class ExampleController
    static private String targetDirectory = "/path/to/target/directory/";

    @GetMapping(value = "/exists")
-    public void delete(@RequestParam("filename") String filename) throws IOException {
+    public void exists(@RequestParam("filename") String filename) throws IOException {

        File file = new File(targetDirectory + filename);
        if (!file.exists()) { // Noncompliant
@ -38,7 +38,7 @@ public class ExampleController
    static private String targetDirectory = "/path/to/target/directory/";

    @GetMapping(value = "/exists")
-    public void delete(@RequestParam("filename") String filename) throws IOException {
+    public void exists(@RequestParam("filename") String filename) throws IOException {

        File file = new File(targetDirectory + filename);
        String canonicalDestinationPath = file.getCanonicalPath();
@ -71,7 +71,7 @@ that the string `targetDirectory` does not end with a path separator:
 static private String targetDirectory = "/Users/John";

@GetMapping(value = "/endpoint")
-public void endpoint(@RequestParam("folder") fileName) throws IOException {
+public void endpoint(@RequestParam("folder") File fileName) throws IOException {

    String canonicalizedFileName = fileName.getCanonicalPath();

--- a/rules/S6549/java/rule.adoc
+++ b/rules/S6549/java/rule.adoc
@ -6,7 +6,7 @@ include::../impact.adoc[]

 // How to fix it section

-include::how-to-fix-it/java-se.adoc[]
+include::how-to-fix-it/java-io-api.adoc[]

 == Resources

--- a/rules/S6549/kotlin/how-to-fix-it/java-io-api.adoc
+++ b/rules/S6549/kotlin/how-to-fix-it/java-io-api.adoc
@ -0,0 +1,94 @@
+== How to fix it in Java I/O API
+
+=== Code examples
+
+include::../../common/fix/code-rationale.adoc[]
+
+==== Noncompliant code example
+
+[source,kotlin,diff-id=1,diff-type=noncompliant]
+----
+@Controller
+class ExampleController {
+    companion object {
+        private const val TARGET_DIRECTORY = "/path/to/target/directory/"
+    }
+    @GetMapping("/exists")
+    fun exists(@RequestParam("filename") filename: String) {
+
+        val file = File(TARGET_DIRECTORY + filename)
+        if (!file.exists()) { // Noncompliant
+            throw IOException("File does not exists in the target directory")
+        }
+    }
+}
+----
+
+==== Compliant solution
+
+[source,kotlin,diff-id=1,diff-type=compliant]
+----
+@Controller
+class ExampleController {
+    companion object {
+        private const val TARGET_DIRECTORY = "/path/to/target/directory/"
+    }
+    @GetMapping("/exists")
+    fun exists(@RequestParam("filename") filename: String) {
+
+        val file = File(TARGET_DIRECTORY + filename)
+        val canonicalDestinationPath: String = file.getCanonicalPath()
+
+        if (!canonicalDestinationPath.startsWith(TARGET_DIRECTORY)) {
+            throw IOException("Entry is outside of the target directory")
+        } else if (!file.exists()) {
+            throw IOException("File does not exists in the target directory")
+        }
+    }
+}
+----
+
+=== How does this work?
+
+:canonicalization_function: java.io.File.getCanonicalPath
+
+include::../../common/fix/canonical-path-validation.adoc[]
+
+=== Pitfalls
+
+include::../../common/pitfalls/partial-path-traversal.adoc[]
+
+For example, the following code is vulnerable to partial path injection. Note
+that the string `targetDirectory` does not end with a path separator:
+
+
+[source, kotlin]
+----
+companion object {
+    private val TARGET_DIRECTORY = "/Users/John"
+}
+@GetMapping("/endpoint")
+fun endpoint(@RequestParam("folder") file: File) {
+    val canonicalizedFileName = file.getCanonicalPath()
+    if (!canonicalizedFileName.startsWith(TARGET_DIRECTORY)) {
+        throw IOException("Entry is outside of the target directory")
+    }
+}
+----
+
+This check can be bypassed if other directories start with `John`. For instance, `"/Users/Johnny".startsWith("/Users/John")`
+returns `true`. Thus, for validation, `"/Users/John"` should actually be
+`"/Users/John/"`.
+
+**Warning**: Some functions, such as `getCanonicalPath`, remove the
+terminating path separator in their return value. +
+The validation code should be tested to ensure that it cannot be impacted by this
+issue.
+
+https://github.com/aws/aws-sdk-java/security/advisories/GHSA-c28r-hw5m-5gv3[Here is a real-life example of this vulnerability.]
+
+
+:joining_docs: https://docs.oracle.com/javase/8/docs/api/java/nio/file/Path.html
+:joining_func: java.nio.file.Path.resolve
+
+include::../../common/pitfalls/oob-specific-path-joining.adoc[]
--- a/rules/S6549/kotlin/metadata.json
+++ b/rules/S6549/kotlin/metadata.json
@ -1,2 +1,33 @@
 {
-}
+  "securityStandards": {
+    "CWE": [
+      20,
+      22
+    ],
+    "OWASP": [
+      "A5",
+      "A1"
+    ],
+    "OWASP Top 10 2021": [
+      "A1",
+      "A3"
+    ],
+    "OWASP Mobile Top 10 2024": [
+      "M4"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.8"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "12.3.1",
+      "5.1.3",
+      "5.1.4"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222609"
+    ]
+  }
+}
--- a/rules/S6549/kotlin/rule.adoc
+++ b/rules/S6549/kotlin/rule.adoc
@ -1,44 +1,24 @@
-FIXME: add a description
-
-// If you want to factorize the description uncomment the following line and create the file.
-//include::../description.adoc[]
-
 == Why is this an issue?

-FIXME: remove the unused optional headers (that are commented out)
+include::../rationale.adoc[]

-//=== What is the potential impact?
+include::../impact.adoc[]

-== How to fix it
-//== How to fix it in FRAMEWORK NAME
+// How to fix it section

-=== Code examples
+include::how-to-fix-it/java-io-api.adoc[]

-==== Noncompliant code example
+== Resources

-[source,kotlin,diff-id=1,diff-type=noncompliant]
----
-FIXME
----
+include::../common/resources/standards-mobile.adoc[]

-==== Compliant solution
+ifdef::env-github,rspecator-view[]

-[source,kotlin,diff-id=1,diff-type=compliant]
----
-FIXME
----
+'''
+== Implementation Specification
+(visible only on this page)

-//=== How does this work?
-
-//=== Pitfalls
-
-//=== Going the extra mile
+include::../message.adoc[]


-//== Resources
-//=== Documentation
-//=== Articles & blog posts
-//=== Conference presentations
-//=== Standards
-//=== External coding guidelines
-//=== Benchmarks
+endif::env-github,rspecator-view[]