0

I am reading a JSON file in java 11 as shown below but upon analyzing with sonar Qube I am getting the error on scanning it, please let me know how to overcome from this:

  File file = ResourceUtils.getFile("classpath:8Aug.json");
  byte[] bFile = readAllBytes(Paths.get(file.getAbsolutePath()));

The error that I am getting is on scanning with sonar Qube is shown below:

java/nio/file/Paths.get(Ljava/lang/String;[Ljava/lang/String;)Ljava/nio/file/Path; reads a file whose location might be specified by user input, A file is opened to read its content. The filename comes from an input parameter. If an unfiltered parameter is passed to this file API, files from an arbitrary filesystem location could be read.

This rule identifies potential path traversal vulnerabilities. In many cases, the constructed file path cannot be controlled by the user. If that is the case, the reported instance is false positive.

GhostCat
  • 137,827
  • 25
  • 176
  • 248
ldmww hyt
  • 11
  • 1
  • 5
  • 1
    What is your actual question? How to change the code approach? See https://stackoverflow.com/questions/1464291/how-to-really-read-text-file-from-classpath-in-java . Or suppress the sonar warning since you figured out that it is a false positive. – Michiel Leegwater Aug 13 '19 at 20:09

0 Answers0