Severity: high
Type: path-traversal
Exploitable: YES
Confidence: 92%
The validateSafeDirectory method uses File.getAbsoluteFile() to resolve paths before checking against the DANGEROUS_PATHS blocklist. However, getAbsoluteFile() does not resolve symbolic links. If a user supplies a path like /tmp/wipe where /tmp/wipe is a symlink pointing to /etc (or any other blocked directory), the validation check sees the path as /tmp/wipe, which passes the blocklist, but the actual wipe operation then writes into /etc. This is a classic symlink-following vulnerability. The method should use File.getCanonicalPath() or Path.toRealPath() to resolve symlinks and relative path components (../) before comparing against the blocklist.
Location: /home/sfloess/Development/github/FlossWare/diskwipe-java/src/main/java/org/flossware/diskwipe/CleanDisk.java:63
Remediation:
Replace dir.getAbsoluteFile().getPath() with dir.getCanonicalPath() (or use java.nio.file.Path.toRealPath()) to resolve symlinks and normalize path components before checking against DANGEROUS_PATHS. Example fix: change line 63-64 from 'final File absDir = dir.getAbsoluteFile(); final String absPath = absDir.getPath();' to 'final String absPath = dir.getCanonicalPath();' and wrap the method signature to throw IOException.
Impact Score: 100
Severity: high
Type: path-traversal
Exploitable: YES
Confidence: 92%
The validateSafeDirectory method uses File.getAbsoluteFile() to resolve paths before checking against the DANGEROUS_PATHS blocklist. However, getAbsoluteFile() does not resolve symbolic links. If a user supplies a path like /tmp/wipe where /tmp/wipe is a symlink pointing to /etc (or any other blocked directory), the validation check sees the path as /tmp/wipe, which passes the blocklist, but the actual wipe operation then writes into /etc. This is a classic symlink-following vulnerability. The method should use File.getCanonicalPath() or Path.toRealPath() to resolve symlinks and relative path components (../) before comparing against the blocklist.
Location: /home/sfloess/Development/github/FlossWare/diskwipe-java/src/main/java/org/flossware/diskwipe/CleanDisk.java:63
Remediation:
Replace dir.getAbsoluteFile().getPath() with dir.getCanonicalPath() (or use java.nio.file.Path.toRealPath()) to resolve symlinks and normalize path components before checking against DANGEROUS_PATHS. Example fix: change line 63-64 from 'final File absDir = dir.getAbsoluteFile(); final String absPath = absDir.getPath();' to 'final String absPath = dir.getCanonicalPath();' and wrap the method signature to throw IOException.
Impact Score: 100