Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    [bogus] Directory Traversal bug reported by Veracode

    Following is the issue when the security audit was run over the source code on Smart GWT3.0 version.

    External Control of File Name or Path
    Recommendations
    Validate all user-supplied input to ensure that it conforms to the expected format, using centralized data validation routines when possible. When using black lists, be sure that the sanitizing routine performs a sufficient number of iterations to remove all instances of disallowed characters.
    Module # Class # Module Location
    com/.../FileAssembler.java 293
    com/.../FileDistributor.java 55
    com/.../FileDistributor.java 66
    com/.../FileDistributor.java 75
    com/.../FileDistributor.java 139
    com/.../FileDistributor.java 150
    com/.../FileDistributor.java 158
    com/.../FilePackager.java 47
    com/.../FilePackager.java 63
    com/.../FilePackager.java 69
    com/.../FilePackager.java 84
    .../JSSyntaxScannerFilter.java 295
    com/.../servlet/SourceViewer.java 183

    Can we have resolution for this soon please?

    #2
    This appears to be a bogus report.

    In general, security scanning tools produce a lot of bogus reports, because among other things they will scan methods that are not accessible from end user UI as though they were publicly accessible (this includes developer tools, code for command-line use, test code, etc).

    If you believe you've found a security vulnerability you should submit a test case showing how the code could be exploited.

    Comment

    Working...
    X