3

After a security scan, I get the error Absolute Path Traversal in the file:

https://github.com/takari/maven-wrapper/blob/master/.mvn/wrapper/MavenWrapperDownloader.java

Line 50: File baseDirectory = new File(args[0]);

The MavenWrapperDownloader.java belong actually to apache ... is there a new version of the file from where I will not get an error?

One option I found (https://portswigger.net/web-security/file-path-traversal) is to use

File file = new File(BASE_DIRECTORY, userInput);
if (file.getCanonicalPath().startsWith(BASE_DIRECTORY)) {
    // process file
}

But in the java class they are already checking:

File mavenWrapperPropertyFile = new File(baseDirectory, MAVEN_WRAPPER_PROPERTIES_PATH);
        String url = DEFAULT_DOWNLOAD_URL;
        if(mavenWrapperPropertyFile.exists()) {
...

Any suggestions?

Olaf Kock
  • 46,930
  • 8
  • 59
  • 90
marhg
  • 659
  • 1
  • 17
  • 30
  • First you claimed that MavenWrapperDownloader.java belongs to Apache? You mean that file has an Apache License? If you think it's necessary to change that create pull request on the takari/maven-wrapper repo ... For Maven 4.X will get a maven wrapper (https://github.com/apache/maven/tree/master/maven-wrapper) Does the security scan happen in a corporate environment? – khmarbaise Apr 21 '21 at 10:50
  • yes it has an Apache license, and yes the security scan happens in a corporate environment. So, you mean that I can use the maven wrapper 4.X (MavenWrapperMain) and performs the same as the MavenWrapperDownloader? – marhg Apr 21 '21 at 12:21
  • 2
    No you can't use wrapper 4.X because it's not yet released in a 4.X. Apart from that I don't understand why using a wrapper in a corporate environment. and you can exclude that problem in your security scan in your environment.... – khmarbaise Apr 21 '21 at 13:10
  • yes, i also wondered that I wanted to have another opinion so I can discuss it internally with the team. Thank you for your feedback! – marhg Apr 21 '21 at 13:59

1 Answers1

0

For me, the below code worked which is part of Apache commons IO

FilenameUtils.normalize(baseDirectory)

import org.apache.commons.io.FilenameUtils;
...

File mavenWrapperPropertyFile = new File(FilenameUtils.normalize(baseDirectory), MAVEN_WRAPPER_PROPERTIES_PATH);
        String url = DEFAULT_DOWNLOAD_URL;
        if(mavenWrapperPropertyFile.exists()) {
    ...
Clover
  • 507
  • 7
  • 22