...
This compliant solution uses the getCanonicalPath() method, introduced in Java 2, because it resolves the aliases, shortcuts or symbolic links consistently, across all platforms. The value of the alias (if any) is not included in the returned value. Moreover, relative references like the double period (..) are also removed so that the input is reduced to a canonicalized form before validation is carried out. Consequently, this compliant solution is also compliant with IDS18-J. Prevent against directory traversal attacks in that, an adversary cannot use ../ sequences to break out of the specified directory when the validate() method is present.
...