Path Manipulation error fix for filename

Question

I have a piece of code where-in I have to read a file for its possible contents.

I'm encountering Path Manipulation Error for the same.

PFB the code:

while ((ze = zis.getNextEntry()) != null) {
    String fileName = ze.getName();
    String esapiFileName = ESAPI.encoder().canonicalize(fileName);
    boolean esapiValidFileName = ESAPI.validator().isValidFileName("upload", esapiFileName, false);
    String _completefileNamePath = null;
    if (esapiValidFileName) {
      _completefileNamePath = _destination + esapiFileName;
      // Below line having Path Manipulation error
      FileOutputStream fos = new FileOutputStream(new File(_completefileNamePath).getCanonicalFile());
      // Path Manipulation error ends
      while ((size = zis.read(buffer, 0, buffer.length)) != -1) {
        fos.write(buffer, 0, size);
      }// while
      fos.flush();
      fos.close();
      zis.closeEntry();
    }
}

what's the value of _completefileNamePath when you get this error? — Daniel Sperry, May 07 '15 at 12:33
the _completefileNamePath is /home/batch/app/ackfile/filename.txt — Alpesh003, May 07 '15 at 13:50

Daniel Sperry · Answer 1 · 2015-05-07T12:47:46.897

2

Are your paths relative or absolute?

BTW, You actually don't need to get the canonical file before opening a FileOutputStream:

FileOutputStream fos = new FileOutputStream(_completefileNamePath);

or

FileOutputStream fos = new FileOutputStream(new File(_completefileNamePath));

or

import java.nio.file.Files;
import java.nio.file.Paths;

while ((ze = zis.getNextEntry()) != null) {
    String fileName = ze.getName();
    String esapiFileName = ESAPI.encoder().canonicalize(fileName);
    boolean esapiValidFileName = ESAPI.validator().isValidFileName("upload", esapiFileName, false);
    String _completefileNamePath = null;
    if (esapiValidFileName) {
        _completefileNamePath = _destination + esapiFileName;
        // optional: Files.createDirectories(Paths.get(_completefileNamePath).getParent());
        Files.copy(zis, Paths.get(_completefileNamePath));
        zis.closeEntry();
    }
}

edited May 07 '15 at 12:47

answered May 07 '15 at 12:30

Daniel Sperry

4,381
4
31
41

so just removing the canonical file info will suffice? – Alpesh003 May 07 '15 at 12:33
It might, because it wasn't necessary anyway. And provided that the file name is indeed valid. – Daniel Sperry May 07 '15 at 12:44
Ok let me try removing the canonical file. – Alpesh003 May 07 '15 at 12:59
the completefileNamePath is /home/batch/app/ackfile/filename.txt – Alpesh003 May 07 '15 at 13:43
is it working now? Does that dir exist "/home/batch/app/ackfile/" ? – Daniel Sperry May 07 '15 at 15:15
The directory exists as we're able to read the file. have run the scan on the code. checking the results as the scan is scheduled twice a day. – Alpesh003 May 08 '15 at 07:05
Its still having the same error now on this line of code. FileOutputStream fos = new FileOutputStream(new File(_completefileNamePath)); – Alpesh003 May 11 '15 at 12:50
So, let's drill down: Is this any part of that path a link (symbolic or otherwise)? Is that path accessible to user that runs this code (test with `sudo su - user_name`)? Are you sure that path that has the problem is really `/home/batch/app/ackfile/filename.txt` and not some other path? Are you sure that the zip file doesn't contain entries with absolute paths or other malicious data? – Daniel Sperry May 11 '15 at 13:25

Path Manipulation error fix for filename

1 Answers1