...
Canonicalization contains an inherent race window between the time the program obtains the canonical path name and the time it opens the file. While the canonical path name is being validated, the file system may have been modified and the canonical path name may no longer reference the original valid file. Fortunately, this race condition can be easily mitigated. The canonical path name can be used to determine whether the referenced file name is in a secure directory (see rule FIO00-J. Do not operate on files in shared directories for more information). If the referenced file is in a secure directory, then, by definition, an attacker cannot tamper with it and cannot exploit the race condition.
This rule is a specific instance of rule IDS01-J. Normalize strings before validating them.
Noncompliant Code Example
This noncompliant code example accepts a file path as a command-line argument and uses the File.getAbsolutePath() method to obtain the absolute file path. It also uses the isInSecureDir() method defined in rule FIO00-J. Do not operate on files in shared directories to ensure that the file is in a secure directory. However, it neither resolves file links nor eliminates equivalence errors.
...
FIO02-C. Canonicalize path names originating from untrusted sources | ||||
FIO02-CPP. Canonicalize path names originating from untrusted sources | ||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="eab2e87683cb0260-299cb4f6-43504bcb-8a329793-5a979ecbf76d83c9762b4570"><ac:plain-text-body><![CDATA[ | [ISO/IEC TR 24772:2010 | http://www.aitcnet.org/isai/] | Path Traversal [EWR] | ]]></ac:plain-text-body></ac:structured-macro> |
CWE-171. Cleansing, canonicalization, and comparison errors | ||||
| CWE-647. Use of non-canonical URL paths for authorization decisions |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9faaa0407d194bba-5729feb9-42fe4367-80918001-0508b8a341199bd7111f39fa"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | [method getCanonicalPath() | http://java.sun.com/javase/6/docs/api/java/io/File.html#getCanonicalPath()] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a43edc89fb7c817f-18625bb9-430b4c05-a4e28338-1d42f999968f8de8701378fa"><ac:plain-text-body><![CDATA[ | [[Harold 1999 | AA. Bibliography#Harold 99]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
...