Path Manipulation and Resource Injection

Overview

Path manipulation occurs when user input controls file paths or resource identifiers.

Impact

Attackers may read arbitrary files, overwrite resources, or access restricted data.

Countermeasures

Normalize paths, use an allowlist of resource names, block traversal sequences, and enforce access checks after resolving the path.

Examples

public void download(HttpServletRequest request, HttpServletResponse response) throws Exception {
    String filepath = request.getParameter("filepath");

    if (filepath == null)
        return;

    filepath= PathUtil.getHome() + "/web/board_attach/" + filepath;

    DownloadUtil.download(response, filepath);
}

public void download(HttpServletRequest request, HttpServletResponse response) throws Exception {
    String filepath =request.getParameter("filepath");

    if (filepath == null)
        return;

    filepath = filepath.replaceAll("/","");
    filepath = filepath.replaceAll ("\\\\","");
    filepath = filepath.replaceAll ("\\.","");
    filepath = filepath.replaceAll ("&","");
    filepath = PathUtil.getHome() + "/web/board_attach/" + filepath;

    DownloadUtil.download(response, filepath);
}