Fix duplicate class header and better fix using toPath()

smehta23 · smehta23 · commit 7ab8f0262c53 · 2022-06-29T18:01:12.000-04:00
diff --git a/java/ql/src/Security/CWE/CWE-023/PartialPathTraversal.qhelp b/java/ql/src/Security/CWE/CWE-023/PartialPathTraversal.qhelp
@@ -39,7 +39,7 @@ and not just children of <code>parent</code>, which is a security issue.
 <p>
 
 In this example, the <code>if</code> statement checks if <code>parent.getCanonicalPath() + File.separator </code> 
-is a prefix of <code>dir.getCanonicalPath()</code>. Because <code>parent.getCanonicalPath() + File.separator</code> is 
+is a prefix of <code>dir.getCanonicalPath()</code>. Because <code>parent.getCanonicalPath().toPath()</code> is 
 indeed slash-terminated, the user supplying <code>dir</code> can only access children of 
 <code>parent</code>, as desired.
 
diff --git a/java/ql/src/Security/CWE/CWE-023/PartialPathTraversalGood.java b/java/ql/src/Security/CWE/CWE-023/PartialPathTraversalGood.java
@@ -1,8 +1,8 @@
 import java.io.File;
 
-public class PartialPathTraversalBad {
+public class PartialPathTraversalGood {
     public void esapiExample(File dir, File parent) throws IOException {
-        if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath() + File.separator)) {
+        if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath().toPath())) {
             throw new IOException("Invalid directory: " + dir.getCanonicalPath());
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -1,8 +1,8 @@`
`1`	`1`	`import java.io.File;`
`2`	`2`
`3`		`-public class PartialPathTraversalBad {`
	`3`	`+public class PartialPathTraversalGood {`
`4`	`4`	`public void esapiExample(File dir, File parent) throws IOException {`
`5`		`- if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath() + File.separator)) {`
	`5`	`+ if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath().toPath())) {`
`6`	`6`	`throw new IOException("Invalid directory: " + dir.getCanonicalPath());`
`7`	`7`	`}`
`8`	`8`	`}`