Conversation
Adding a new vuln to test snyk fix in PR functionality
⛔ Snyk checks have failed. 2 issues have been found so far.
✅ security/snyk check is complete. No issues have been found. (View Details) ✅ license/snyk check is complete. No issues have been found. (View Details) ⛔ code/snyk check is complete. 2 issues have been found. (View Details) 💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
|
|
||
| try { | ||
| fileName = org.owasp.benchmark.helpers.Utils.TESTFILES_DIR + param; | ||
| fis = new java.io.FileInputStream(new java.io.File(fileName)); |
There was a problem hiding this comment.
Path Traversal
Unsanitized input from cookies flows into java.io.FileInputStream, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.
Line 71 | CWE-23 | Priority score 822 | Learn more about this vulnerability
Data flow: 14 steps
Step 1 - 2
Step 3 vulnerablefileadd.java#L58
Step 4 - 7 vulnerablefileadd.java#L60
Step 8 - 10 vulnerablefileadd.java#L70
Step 11 - 14
| throws ServletException, IOException { | ||
| response.setContentType("text/html;charset=UTF-8"); | ||
| javax.servlet.http.Cookie userCookie = | ||
| new javax.servlet.http.Cookie("BenchmarkTest00001", "FileName"); |
There was a problem hiding this comment.
Sensitive Cookie Without 'HttpOnly' Flag
Cookie misses a call to setHttpOnly. Set the HttpOnly flag to true to protect the cookie from possible malicious code on client side.
Line 37 | CWE-1004 | Priority score 436
🎉 Snyk checks have passed. No issues have been found so far.✅ security/snyk check is complete. No issues have been found. (View Details) ✅ license/snyk check is complete. No issues have been found. (View Details) |
Adding a new vuln to test snyk fix in PR functionality