How to correct Path Manipulation error given by fortify?

Question

I need to read the properties file kept in user_home folder.

PropsFile = System.getProperty("user.home") + System.getProperty("file.separator")+ "x.properties"; 

Fortify is giving path manipulation error in this line. The number of correct values is large so blacklisting is the only way possible. So to avoid it i changed the code as below.

String propsFile = null;
StringBuffer sb = new StringBuffer();
String xProperties = "x.properties";
String userHome = System.getProperty("user.home");  // *
if(userHome.contains("..\\"))
 userHome = userHome.replace("..\\", "");
if(userHome.contains("../"))
 userHome = userHome.replace("../", "");
if(userHome.contains("./"))
 userHome = userHome.replace("./", "");

String fileSeperator = System.getProperty("file.separator");    // *
  if(fileSeperator.equals("/") || fileSeperator.equals("\\")){
    sb = sb.append(userHome).append(fileSeperator).append(xProperties);
    propsFile = sb.toString();
  }

but still fortify is giving me the same errors in (*) marked lines ( although the validation is done ). How can i remove the error ?

Answer 1

Instead of trying to remove the Fortify error, I urge you to think about the security vulnerability.

The problem is that user.home could be crafted, possibly with the -D vm arg, to allow any file named x.properties potentialy anywhere on the system to be opened, or be destroyed. For example, setting user.home to /usr/local would not be detetcted by your blacklisting. Any file called /usr/local/x.properties could then be read or overwritten.

You need to challenge why any value of user.home can be allowed. You need to check that the path you get from user.home starts with a certain location (say, /home). This is caled whitelist validation and is a common and well-known fix for security vulnerabilities. Once you do establish that the supplied path has a root in a known location then do you your blacklisting for directory transversal.

I know this is a pain but the attempt to fix this with blacklisting alone is fraught with peril and will never fix the problem. And it is a real security issue, not just a Fortify error.