Fority扫描报告“路径操作”的安全性问题在下面的代码片段Fortify的路径操作错误
String filePath = getFilePath(fileLocation, fileName);
final File file = new File(filePath);
LOGGER.info("Saving report at : " + filePath);
BufferedWriter fileWriter = new BufferedWriter(new FileWriter(file));
fileWriter.write(fileContent);
,所以我在fileLocation检查列入黑名单的人物和投掷例外,仍然是Fortify的是抛出异常。
try {
String filePath = getFilePath(fileLocation, fileName);
if (isSecurePath(filePath)) {
final File file = new File(filePath);
LOGGER.info("Saving report at : " + filePath);
BufferedWriter fileWriter = new BufferedWriter(new FileWriter(file));
fileWriter.write(fileContent);
} else {
throw new Exception("Security Issue. File Path has blacklisted characters");
}
} catch (final Exception e) {
LOGGER.error("Unable to prepare mail attachment : ", e);
message = "Mail cannot be send, Unable to prepare mail attachment";
}
private boolean isSecurePath(String filePath) {
String[] blackListChars = {".."};
return (StringUtils.indexOfAny(filePath, blackListChars)< 0);
}
我应该忽略扫描报告还是会对此进行正确的修复?
瞧这也https://security.stackexchange.com/questions/103884/how-to-resolve-path-manipulation-error-given-by-fortify –