Conversation
![orca-security-us[bot]](https://avatars.githubusercontent.com/in/276250?s=60&v=4){kind=small}
There was a problem hiding this comment.
Orca Security Scan Summary
| Status | Check | Issues by priority | |
|---|---|---|---|
 Passed |
Infrastructure as Code |  0  0  0  0 |
View in Orca |
 Failed |
SAST | 1 1 0 0 |
View in Orca |
| Passed |
Secrets | 0 0 0 0 |
View in Orca |
| Passed |
Vulnerabilities | 0 0 0 0 |
View in Orca |
🛡️ The following SAST misconfigurations have been detected
| NAME | FILE | ||
|---|---|---|---|
|
User Input Can Control File Paths Leading to Directory Traversal | fail.java | View in code |
|
Potential XSS Vulnerability from Unsanitized Servlet Parameters | fail.java | View in code |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| Files.deleteIfExists(destinationFile); | ||
| Files.copy(is, destinationFile); | ||
| } | ||
| log.debug("File saved to {}", new File(destinationDir, multipartFile.getOriginalFilename())); |
Check warning
Code scanning / Orca Shift-Left Security
User input is being used to control a file path, which can lead to directory traversal vulnerabilities (e.g., using '../' to access unintended directories). It's crucial to sanitize any user-controlled variables in file paths to mitigate this risk. Consider using utility methods, like org.apache.commons.io.FilenameUtils.getName(...), to extract only the file name from a given path. Warning
| modelAndView.setViewName("files"); | ||
| File changeIndicatorFile = new File(destinationDir, username + "_changed"); | ||
| if (changeIndicatorFile.exists()) { | ||
| modelAndView.addObject("uploadSuccess", request.getParameter("uploadSuccess")); |
Check warning
Code scanning / Orca Shift-Left Security
The Servlet can receive GET and POST parameters from multiple methods. These values are potentially unsafe and should be validated or sanitized before being used in sensitive APIs. Warning
1 participant
No description provided.