Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 36c351d

Browse files
p-p-
committed
Add input from documentation review
1 parent 60d5ed9 commit 36c351d

2 files changed

Lines changed: 7 additions & 8 deletions

File tree

java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.qhelp

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -5,15 +5,15 @@
55

66
<overview>
77
<p>Calling <code>openStream</code> on URLs created from remote source can lead to local file disclosure.</p>
8-
<p>If <code>openStream</code> is called on a <code>java.net.URL</code>, that was created from a remote source
8+
<p>If <code>openStream</code> is called on a <code>java.net.URL</code>, that was created from a remote source,
99
an attacker can try to pass absolute URLs starting with <code>file://</code> or <code>jar://</code> to access
1010
local resources in addition to remote ones.</p>
1111
</overview>
1212

1313
<recommendation>
14-
<p>When you construct a URL using <code>java.net.URL</code> from a remote source, make sure
15-
to not call openStream on it. Instead fetch the URL with a HTTP Client to access its content.
16-
Also validate that the URL uses the correct protocol and host combination.</p>
14+
<p>When you construct a URL using <code>java.net.URL</code> from a remote source,
15+
don't call <code>openStream</code> on it. Instead, use an HTTP Client to fetch the URL and access its content.
16+
You should also validate the URL to check that it uses the correct protocol and host combination.</p></p>
1717
</recommendation>
1818

1919
<example>

java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,7 @@
11
/**
2-
* @name Calling openStream on URLs created from remote source can lead to file disclosure
3-
* @description If openStream is called on a java.net.URL, that was created from a remote source
4-
* an attacker can try to pass absolute URLs starting with file:// or jar:// to access
5-
* local resources in addition to remote ones.
2+
* @name openStream called on URLs created from remote source
3+
* @description Calling openStream on URLs created from remote source
4+
* can lead to local file disclosure.
65
* @kind path-problem
76
*/
87

0 commit comments

Comments
 (0)