Fix user controlled data to construct path

Question

I am getting blocker issue from sonarqube as I am using user controlled data to construct File path. I searched lot for the fix and found different solutions but no luck.

Code:

@RequestMapping(value = "/downloadImage", method = RequestMethod.GET)
    public void downloadImages(@RequestParam("fileName") final String fileName, HttpServletResponse response)
            throws IOException {

        Path file = Paths.get(filePath, fileName);
        Path pdffileName = file.getFileName();
        if (file.toFile().exists()) {
        //logic
       Files.copy(file, response.getOutputStream()); //sonarqube blocker issue - 1
       InputStream zipFile = new FileInputStream(
                    new File(URLDecoder.decode(tempPath + "/" + fileName, "UTF-8"))); //sonarqube blocker issue - 2
        }
    }

fileName is the user controlled data. please suggest me to pass sonarqube. I need to pass filename as a parameter. Thank you.

Answer 1

I think we can surmise what the error message is actually saying.

The basic idea is that you are allowing the user to get the contents of any file reachable from the application, just by specifying the name of the file. That is considered a security hole.

If you actually need to mitigate this, a possible strategy would be to use the input filename as a search string in a list of allowed file names to retrieve. If the filename is found in that list, use the filename from the list (not the value of the input parameter) as the file name to retrieve.

If there's no way for you to know what the allowed list of filenames is, which means you actually have to allow the insecure strategy that SonarQube is complaining about, then you have to decide whether you want to mitigate this security hole or simply ignore it, or perhaps mark it as a "false positive".