Review

Detector:

Findbugs

Target:

project '

bctls

' version

1.58

Tags:

Potential Misuse

Anomaly identified by the detector. Please review whether this anomaly corresponds to a misuse.

Finding:	finding-3
In File:	org/bouncycastle/jsse/provider/
In Method:	engineInit(KeyStore)
Code with Finding:	protected void engineInit(KeyStore ks) throws KeyStoreException { try { if (ks == null) { ks = createTrustStore(); String tsPath = null; char[] tsPassword = null; String tsPathProp = PropertyUtils.getSystemProperty("javax.net.ssl.trustStore"); if (tsPathProp != null) { if (new File(tsPathProp).exists()) { tsPath = tsPathProp; String tsPasswordProp = PropertyUtils.getSystemProperty("javax.net.ssl.trustStorePassword"); if (tsPasswordProp != null) { tsPassword = tsPasswordProp.toCharArray(); } } } else if (new File(JSSECACERTS_PATH).exists()) { tsPath = JSSECACERTS_PATH; } else if (new File(CACERTS_PATH).exists()) { tsPath = CACERTS_PATH; } if (tsPath == null) { ks.load(null, null); } else { InputStream tsInput = new BufferedInputStream(new FileInputStream(tsPath)); ks.load(tsInput, tsPassword); tsInput.close(); } } Set<TrustAnchor> trustAnchors = getTrustAnchors(ks); if (hasExtendedTrustManager) { trustManager = new ProvX509ExtendedTrustManager(new ProvX509TrustManager(pkixProvider, trustAnchors)); } else { trustManager = new ProvX509TrustManager(pkixProvider, trustAnchors); } } catch (Exception e) { throw new KeyStoreException("initialization failed", e); } }

Metadata

Hit	Rank	Desc	Type	Violations
?	3	SECPTI: java/io/File.<init>(Ljava/lang/String;)V reads a file whose location might be specified by user input	PATH_TRAVERSAL_IN