Bug 456987

Summary: BUG - External Control of File Name or Path - ClassLoaderWeavingAdaptor.java
Product: [Tools] AspectJ Reporter: david camilo espitia manrique <dcespitiam>
Component: IDEAssignee: aspectj inbox <aspectj-inbox>
Status: NEW --- QA Contact:
Severity: normal    
Priority: P3 CC: aclement
Version: 1.6.9   
Target Milestone: ---   
Hardware: PC   
OS: Windows 7   
Whiteboard:

Description david camilo espitia manrique CLA 2015-01-07 18:30:22 EST 
We are currently using aspectjweaver-1.6.9.jar and the veracode analysis found a bug in this class ClassLoaderWeavingAdaptor.java (Line 350):


Type:  External Control of File Name or Path

Description:

This call contains a path manipulation flaw. The argument to the function is a filename constructed using user-supplied
input. If an attacker is allowed to specify all or part of the filename, it may be possible to gain unauthorized access to
files on the server, including those outside the webroot, that would be normally be inaccessible to end users. The level
of exposure depends on the effectiveness of input validation routines, if any


is this a false positive ?



Thanks.
Comment 1 Andrew Clement CLA 2015-01-07 20:14:29 EST 
I really need the line number in 1.8.4 rather than 1.6.9. I'm not sure if it is a real problem or not but so far these analysis issues aren't having that much success at finding any real bugs :)