search

github / codeql

CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security
https://codeql.github.com
MIT License
7.52k stars 1.5k forks source link

False positive - Java - Server-side request forgery - When type converted to `File` #16949

Open JLLeitschuh opened 2 months ago

JLLeitschuh commented 2 months ago

Description of the false positive

If a URI or URL is created from a File it isn't a valid source of SSRF. This is because, AFAIK, opening a stream from a file will never create a socket request.

new File("untrusted-user-input.txt").toURI().toURL().openStream()

Code samples or links to source code

https://github.com/keycloak/keycloak/blob/0bfadacffd1112e6fa6fdce5b6662b08aeb15d79/services/src/main/java/org/keycloak/theme/FolderTheme.java#L101-L101

URL to the alert on GitHub code scanning (optional)

https://github.com/Chainguard-Wolfi-Bites-Back/keycloak__keycloak/security/code-scanning/18

Reasonable Fix

It should be simple to add any type conversion to a File as a simple sanitizer.

ginsbach commented 2 months ago

Thank you for this false positive report. I have added it to our tracking board for future consideration, as we are not actively prioritising false positives right now.