I am working to fix Veracode vulnerability CWE-73 (https://cwe.mitre.org/data/definitions/73.html) for my application in which the input filename is dynamically sent by our other application it starts with static names like abc, xyz but full file name usually like abc_1234567.txt.
Snippet of existing app code: call methodA(inputdirectory, inputfile, X, Y) -> veracode is reporting for inputfile in this case
I have attempted to add condition to check extension of the file, pattern whitelist to have alphanumeric and other usually validation like file String is valid/Non-Empty – so far no luck and also went through Veracode link below as well. https://community.veracode.com/s/article/how-do-i-fix-cwe-73-external-control-of-file-name-or-path-in-java
Hardcoding of file name is not possible as I mentioned it is dynamic and also the problem is not just with extension.
I did attempt to integrate with ESAPI to see if getValidFileName will work but looks like that is also not satisfying the veracode.
Any suggestions or pointers which I can attempt further to see will be helpful.! Thanks.
Advertisement
Answer
CWE 73 is exploitation where the attacker provides a user input that allows the system to read the said file and provide malicious access.
The origin of the problem is the “dynamically” sent over. If given the time, I would create a jail or indirection. Let us call Server as A and Client as B. If the server sends ABC, map ABC->DEF in the client. And based on the lookup, whenever the server sends ABC (check whether he has ABC), then lookup based on DEF. Never directly consume the user input from the customer.