search

github / codeql

CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security
https://codeql.github.com
MIT License
7.38k stars 1.48k forks source link

False positive: Java: Uncontrolled data used in path expression #15686

Open JLLeitschuh opened 5 months ago

JLLeitschuh commented 5 months ago

Description of the false positive

This shouldn't be included because there is an adequate guard protecting against a path traversal payload.

Code samples or links to source code

    private Path indexRootPath(final String name) {
        final Path result = rootDir.resolve(name);
        if (result.startsWith(rootDir)) {
            return result;
        }
        throw new WebApplicationException(name + " attempts to escape from index root directory", Status.BAD_REQUEST);
    }

https://github.com/apache/couchdb/blob/43ab37ba6115851297de0804c563c1f0d23bf52a/nouveau/src/main/java/org/apache/couchdb/nouveau/core/IndexManager.java#L267-L273

URL to the alert on GitHub code scanning (optional)

https://github.com/Wolfi-Chainguard-Demo/apache__couchdb/security/code-scanning/6

ginsbach commented 5 months ago

Thank you for filing this issue! The FP should be removed by https://github.com/github/codeql/pull/12886, so release 2.16.3 should resolve it.