add a trailing slash to the folder check in the QHelp for java/path-injection

erik-krogh · erik-krogh · commit 158ff0da0aff · 2024-01-23T14:46:02.000+01:00
diff --git a/java/ql/src/Security/CWE/CWE-022/examples/TaintedPathGoodFolder.java b/java/ql/src/Security/CWE/CWE-022/examples/TaintedPathGoodFolder.java
@@ -7,7 +7,7 @@ public void sendUserFileGood(Socket sock, String user) {
 	Path filePath = publicFolder.resolve(filename).normalize().toAbsolutePath();
 
 	// GOOD: ensure that the path stays within the public folder
-	if (!filePath.startsWith(publicFolder)) {
+	if (!filePath.startsWith(publicFolder + File.separator)) {
 		throw new IllegalArgumentException("Invalid filename");
 	}
 	BufferedReader fileReader = new BufferedReader(new FileReader(filePath.toString()));

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@ public void sendUserFileGood(Socket sock, String user) {`
`7`	`7`	`Path filePath = publicFolder.resolve(filename).normalize().toAbsolutePath();`
`8`	`8`
`9`	`9`	`// GOOD: ensure that the path stays within the public folder`
`10`		`- if (!filePath.startsWith(publicFolder)) {`
	`10`	`+ if (!filePath.startsWith(publicFolder + File.separator)) {`
`11`	`11`	`throw new IllegalArgumentException("Invalid filename");`
`12`	`12`	`}`
`13`	`13`	`BufferedReader fileReader = new BufferedReader(new FileReader(filePath.toString()));`