Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding code with some deep sinks #1

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Adding code with some deep sinks #1

wants to merge 1 commit into from

Conversation

jeff-zapotoczny-sonarsource
Copy link

Thank you for submitting a pull request to the WebGoat!

@sonar-nautilus
Copy link

SonarQube Quality Gate

Quality Gate failed

Failed condition E Security Rating on New Code (is worse than A)
Failed condition 0.0% 0.0% Coverage on New Code (is less than 90%)

See analysis details on SonarQube

Fix issues before they fail your Quality Gate with SonarLint SonarLint in your IDE.

github-advanced-security[bot]
github-advanced-security bot found potential problems May 30, 2024
View reviewed changes
src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/DSAST.java
String[] filenames = StringUtils.commaDelimitedListToStringArray(input);
for (String filename : filenames) {
var file = new File(directory, filename);
FileSystemUtils.deleteRecursively(file);

Check failure

Code scanning / SonarCloudsquad-2

I/O function calls should not be vulnerable to path injection attacks High

Change this code to not construct the path from user-controlled data. See more on SonarCloud
src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/DSAST.java

String directory = "./target/directory";
var file = new File(directory, filename);
FileUtil.getFileUtil().delete(filename);

Check failure

Code scanning / SonarCloudsquad-2

I/O function calls should not be vulnerable to path injection attacks High

Change this code to not construct the path from user-controlled data. See more on SonarCloud
src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/DSAST.java

String directory = "./target/directory";
var file = new File(directory, filename);
DataUtil.load(file, "utf-8", "uri://");

Check failure

Code scanning / SonarCloudsquad-2

I/O function calls should not be vulnerable to path injection attacks High

Change this code to not construct the path from user-controlled data. See more on SonarCloud
src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/DSAST.java
String[] filenames = StringUtils.commaDelimitedListToStringArray(input);
for (String filename : filenames) {
var file = new File(directory, filename);
FileSystemUtils.deleteRecursively(file);

Check warning

Code scanning / SonarCloudsquad-2

Accessing files should not lead to filesystem oracle attacks Medium

Change this code to not construct the path from user-controlled data. See more on SonarCloud
@sonarcloudsquad2 SonarCloudSquad2
Copy link

Quality Gate Failed Quality Gate failed

Failed conditions
E Security Rating on New Code (required ≥ A)

See analysis details on SonarCloud

Catch issues before they fail your Quality Gate with our IDE extension SonarLint

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jeff-zapotoczny-sonarsource