Bug 456987 - BUG - External Control of File Name or Path - ClassLoaderWeavingAdaptor.java
Summary: BUG - External Control of File Name or Path - ClassLoaderWeavingAdaptor.java
Status: NEW
Alias: None
Product: AspectJ
Classification: Tools
Component: IDE (show other bugs)
Version: 1.6.9   Edit
Hardware: PC Windows 7
: P3 normal (vote)
Target Milestone: ---   Edit
Assignee: aspectj inbox CLA
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-07 18:30 EST by david camilo espitia manrique CLA
Modified: 2015-01-07 20:14 EST (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description david camilo espitia manrique CLA 2015-01-07 18:30:22 EST 
We are currently using aspectjweaver-1.6.9.jar and the veracode analysis found a bug in this class ClassLoaderWeavingAdaptor.java (Line 350):


Type:  External Control of File Name or Path

Description:

This call contains a path manipulation flaw. The argument to the function is a filename constructed using user-supplied
input. If an attacker is allowed to specify all or part of the filename, it may be possible to gain unauthorized access to
files on the server, including those outside the webroot, that would be normally be inaccessible to end users. The level
of exposure depends on the effectiveness of input validation routines, if any


is this a false positive ?



Thanks.
Comment 1 Andrew Clement CLA 2015-01-07 20:14:29 EST 
I really need the line number in 1.8.4 rather than 1.6.9. I'm not sure if it is a real problem or not but so far these analysis issues aren't having that much success at finding any real bugs :)