Page History

...

This noncompliant code example accepts the file path as a command line argument. Let {{argv\[1\]}} be the string {{java}}, where {{/tmp/java}} is a symbolic link that points to another file in some directory of the local file system. On POSIX based systems, the {{getAbsolutePath()}} method includes {{/tmp/java}} (name of the symbolic link) in the path that it returns. OnAn adversary who can create symbolic links can cause the program to operate on the wrong file.

On the other hand, on Windows and Macintosh systems, this behavior is not observed. The symbolic link is fully resolved on these platforms. This implies implementation defined behavior.

public static void main(String[] args) {
  File f = new File("/tmp/" + args[10]);
  String absPath = f.getAbsolutePath();

  if(!absPath.equals("/tmp/somefile")) {  // Validation
    throw new IllegalArgumentException();
  }		  }
}

Compliant Solution

This compliant solution uses the getCanonicalPath() method, introduced in Java 2, because it resolves the aliases, shortcuts or symbolic links consistently, across all platforms. The value of the alias is not included in the returned value. Moreover, relative references like the double period (..) are also removed so that the input is reduced to a canonicalized form before validation is carried out. The getCanonicalPath() method throws a security exception when used within applets as it reveals too much information about the host machine. The getCanonicalFile() method behaves like getCanonicalPath() but returns a new File object instead of a String.

public static void main(String[] args) throws IOException {
  File f = new File("/tmp/" + args[10]);
  String canonicalPath = f.getCanonicalPath();
 
  if(!canonicalPath.equals("/tmp/somefile")) {  // Validation
    throw new IllegalArgumentException();
  }
}

Risk Assessment

Using path names from untrusted sources without first canonicalizing the filenames may result in operations being carried out on the wrong files.

...