Hi, we found the insecure version of the dependency commons-io is still being used in the code:
, which may cause Exposure of Sensitive Information to an Unauthorized Actor.
@Test
public void testNormalize() throws Exception {
assertEquals(SEP + SEP + "127.0.0.1" + SEP + "a" + SEP + "b" + SEP + "c.txt", FilenameUtils.normalize("\\\\127.0.0.1\\a\\b\\c.txt"));
assertEquals(SEP + SEP + "::1" + SEP + "a" + SEP + "b" + SEP + "c.txt", FilenameUtils.normalize("\\\\::1\\a\\b\\c.txt"));
assertEquals(SEP + SEP + "1::" + SEP + "a" + SEP + "b" + SEP + "c.txt", FilenameUtils.normalize("\\\\1::\\a\\b\\c.txt"));
assertEquals(SEP + SEP + "server.example.org" + SEP + "a" + SEP + "b" + SEP + "c.txt", FilenameUtils.normalize("\\\\server.example.org\\a\\b\\c.txt"));
assertEquals(SEP + SEP + "server.sub.example.org" + SEP + "a" + SEP + "b" + SEP + "c.txt", FilenameUtils.normalize("\\\\server.sub.example.org\\a\\b\\c.txt"));
assertEquals(SEP + SEP + "server." + SEP + "a" + SEP + "b" + SEP + "c.txt", FilenameUtils.normalize("\\\\server.\\a\\b\\c.txt"));
assertEquals(SEP + SEP + "1::127.0.0.1" + SEP + "a" + SEP + "b" + SEP + "c.txt",
FilenameUtils.normalize("\\\\1::127.0.0.1\\a\\b\\c.txt"));
// not valid IPv4 addresses but technically a valid "reg-name"s according to RFC1034
assertEquals(SEP + SEP + "127.0.0.256" + SEP + "a" + SEP + "b" + SEP + "c.txt",
FilenameUtils.normalize("\\\\127.0.0.256\\a\\b\\c.txt"));
assertEquals(SEP + SEP + "127.0.0.01" + SEP + "a" + SEP + "b" + SEP + "c.txt",
FilenameUtils.normalize("\\\\127.0.0.01\\a\\b\\c.txt"));
assertEquals(null, FilenameUtils.normalize("\\\\-server\\a\\b\\c.txt"));
assertEquals(null, FilenameUtils.normalize("\\\\.\\a\\b\\c.txt"));
assertEquals(null, FilenameUtils.normalize("\\\\..\\a\\b\\c.txt"));
assertEquals(null, FilenameUtils.normalize("\\\\127.0..1\\a\\b\\c.txt"));
assertEquals(null, FilenameUtils.normalize("\\\\::1::2\\a\\b\\c.txt"));
assertEquals(null, FilenameUtils.normalize("\\\\:1\\a\\b\\c.txt"));
assertEquals(null, FilenameUtils.normalize("\\\\1:\\a\\b\\c.txt"));
assertEquals(null, FilenameUtils.normalize("\\\\1:2:3:4:5:6:7:8:9\\a\\b\\c.txt"));
assertEquals(null, FilenameUtils.normalize("\\\\g:2:3:4:5:6:7:8\\a\\b\\c.txt"));
assertEquals(null, FilenameUtils.normalize("\\\\1ffff:2:3:4:5:6:7:8\\a\\b\\c.txt"));
assertEquals(null, FilenameUtils.normalize("\\\\1:2\\a\\b\\c.txt"));
}
@Test
public void testNormalizeUnixWin() throws Exception {
assertEquals(12, FilenameUtils.getPrefixLength("\\\\127.0.0.1\\a\\b\\c.txt"));
assertEquals(6, FilenameUtils.getPrefixLength("\\\\::1\\a\\b\\c.txt"));
assertEquals(21, FilenameUtils.getPrefixLength("\\\\server.example.org\\a\\b\\c.txt"));
assertEquals(10, FilenameUtils.getPrefixLength("\\\\server.\\a\\b\\c.txt"));
assertEquals(-1, FilenameUtils.getPrefixLength("\\\\-server\\a\\b\\c.txt"));
assertEquals(-1, FilenameUtils.getPrefixLength("\\\\.\\a\\b\\c.txt"));
assertEquals(-1, FilenameUtils.getPrefixLength("\\\\..\\a\\b\\c.txt"));
}
Hi, we found the insecure version of the dependency commons-io is still being used in the code:
cde/core/impl/src/main/java/pt/webdetails/cdf/dd/model/inst/writer/cdfrunjs/components/amd/CdfRunJsDataSourceComponentWriter.java
Line 147 in 513d7a4
Test here: