[JAVA] Partial Path Traversal Vuln Query#9742
Conversation
smehta23
commented
Jun 28, 2022
- [JAVA] Partial Path Traversal Vuln Query
- Finish Partial Path Traversal Query
- Add additional tests from real world query run
|
Could you clarify if you're making a bounty application for this or not? |
|
Hi! This is submitted by my intern. I'd like him to turn this into a bounty application, if possible 🙂 |
Co-authored-by: Jonathan Leitschuh <jonathan.leitschuh@gmail.com>
Co-authored-by: Jonathan Leitschuh <jonathan.leitschuh@gmail.com>
Co-authored-by: Jonathan Leitschuh <jonathan.leitschuh@gmail.com>
Co-authored-by: Jonathan Leitschuh <jonathan.leitschuh@gmail.com>
Co-authored-by: Jonathan Leitschuh <jonathan.leitschuh@gmail.com>
| "qhelp.dtd"> | ||
| <qhelp> | ||
| <overview> | ||
| <p>User supplied file paths can often pose security risks if a program does not correctly handle them. In particular, if a user |
There was a problem hiding this comment.
I would change the position of "correctly" to become "does not handle them correctly"
| <qhelp> | ||
| <overview> | ||
| <p>User supplied file paths can often pose security risks if a program does not correctly handle them. In particular, if a user | ||
| is meant to access files under a certain directory but does not enters a path under that directory, they can gain access to |
| <overview> | ||
| <p>User supplied file paths can often pose security risks if a program does not correctly handle them. In particular, if a user | ||
| is meant to access files under a certain directory but does not enters a path under that directory, they can gain access to | ||
| (and potentially modify/delete) unexpected, possibly sensitive resources. </p> |
There was a problem hiding this comment.
Should it then be "...they can unexpectedly gain access to (and potentially modify/delete) possibly sensitive resources"?
(I've currently phrased it that way, but let me know if you'd prefer something different!)
There was a problem hiding this comment.
You can do both here, choice is yours :-)
…e.qhelp Co-authored-by: Chris Smowton <smowton@github.com>
…e.qhelp Co-authored-by: Chris Smowton <smowton@github.com>
Co-authored-by: Chris Smowton <smowton@github.com>
Co-authored-by: Chris Smowton <smowton@github.com>
A <p> at the top isn't allowed, and for some reason the inclusion is required to be a valid qhelp file.
|
I've pushed two commits that proved necessary to performance-evaluate this PR:
|
|
@github/docs-content-codeql highlighting @JLLeitschuh's request above to expedite docs review on this PR due to the author shortly finishing their internship. |
|
Pushed one further commit to autoformat ql to hopefully get tests passing. |
|
Performance eval completed with benign results; just need docs review now. |
|
Covering for the docs first responder here 👋🏻 - I added this PR to our board for review by the Docs team. Thanks for your patience 🙇🏻♀️ 😅 |
|
Apologies, I am on my own for 2 weeks, and am very busy, but will review this now. Thank you for your patience 🙇🏻♀️ |
mchammer01
left a comment
There was a problem hiding this comment.
Apologies for the delay in reviewing this 😢
This LGTM 💖
I've made a few comments to bring the content in line with our content model.
Let me know if you have any questions 😃
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
|
@JLLeitschuh @smehta23 was there ever a bounty application for this? |
|
We will submit one as soon as we both get back from Vegas |