codeql icon indicating copy to clipboard operation
codeql copied to clipboard

Published 20 hours ago verified publisher icon github

False positive: Java: Uncontrolled data used in path expression

Open JLLeitschuh opened this issue 1 year ago • 1 comments

Description of the false positive

This shouldn't be included because there is an adequate guard protecting against a path traversal payload.

Code samples or links to source code

    private Path indexRootPath(final String name) {
        final Path result = rootDir.resolve(name);
        if (result.startsWith(rootDir)) {
            return result;
        }
        throw new WebApplicationException(name + " attempts to escape from index root directory", Status.BAD_REQUEST);
    }

https://github.com/apache/couchdb/blob/43ab37ba6115851297de0804c563c1f0d23bf52a/nouveau/src/main/java/org/apache/couchdb/nouveau/core/IndexManager.java#L267-L273

URL to the alert on GitHub code scanning (optional)

https://github.com/Wolfi-Chainguard-Demo/apache__couchdb/security/code-scanning/6

JLLeitschuh avatar Feb 21 '24 22:02 JLLeitschuh

Thank you for filing this issue! The FP should be removed by https://github.com/github/codeql/pull/12886, so release 2.16.3 should resolve it.

ginsbach avatar Feb 22 '24 14:02 ginsbach