Review

Detector:

Findbugs

Target:

project '

axis1

' version

1.2

Tags:

vulnerability

unsanitized input

Potential Misuse

Anomaly identified by the detector. Please review whether this anomaly corresponds to a misuse.

Finding:	finding-2
In File:	org/apache/axis/attachments/ManagedMemoryDataSource.java
In Method:	main(String[])
Code with Finding:	class ManagedMemoryDataSource { /** * Method main * * @param arg / public static void main(String arg[]) { // test try { String readFile = arg[0]; String writeFile = arg[1]; java.io.FileInputStream ss = new java.io.FileInputStream(readFile); ManagedMemoryDataSource ms = new ManagedMemoryDataSource(ss, 1024 1024, "foo/data", true); javax.activation.DataHandler dh = new javax.activation.DataHandler(ms); java.io.InputStream is = dh.getInputStream(); java.io.FileOutputStream fo = new java.io.FileOutputStream(writeFile); byte[] buf = new byte[512]; int read = 0; do { read = is.read(buf); if (read > 0) { fo.write(buf, 0, read); } } while (read > -1); fo.close(); is.close(); } catch (java.lang.Exception e) { log.error(Messages.getMessage("exception00"), e); } } }

Metadata

Hit	Rank	Desc	Type	Violations
Yes	2	SECPTO: java/io/FileOutputStream.<init>(Ljava/lang/String;)V writes to a file whose location might be specified by user input	PATH_TRAVERSAL_OUT

Reviewer Name:	anna
Comment:	The variable writeFile is created with an unsanitzied input. Therefore, the function reads a file which is controlled by the user which is a vulnerability.