srikotesh
asked on
writing data to file code shows vulnerability
Hi Experts,
while writing data to file, below is the logic i am using,
when i scan(ibm app scan i used) my code below code showing as suspected code
can some one suggest what is the wrong in my below code.
fos.write(bytes); suspected code from the below code.
while writing data to file, below is the logic i am using,
when i scan(ibm app scan i used) my code below code showing as suspected code
can some one suggest what is the wrong in my below code.
fos.write(bytes); suspected code from the below code.
private static void writeDataInFile() throws IOException {
byte[] buf = null;
byte bytes[] = null;
ByteArrayInputStream bais = null;
GZIPInputStream gzis = null;
ByteArrayOutputStream baos = null;
FileOutputStream fos = null;
try {
fos = new FileOutputStream("D:\\test\\test1");
String empName = "srkrao";
bytes = empName.getBytes();
if (bytes != null && bytes.length >= 2) {
System.out.println("bytes.len>=2");
byte buffer[] = new byte[2048];
int length = 0;
baos = new ByteArrayOutputStream();
bais = new ByteArrayInputStream(bytes);
gzis = new GZIPInputStream(bais);
while ((length = gzis.read(buffer)) >= 0)
baos.write(buffer, 0, length);
bytes = baos.toByteArray();
fos.write(bytes); //[b]this is the line showing as suspected one[/b]
} else {
System.out.println("else");
fos.write(bytes);
}
} catch (Exception ex) {
// System.out.println("error while setting the data in fos" +
// ex.printStackTrace());
} finally {
baos.close();
bais.close();
gzis.close();
fos.close();
}
}
CEHJ
I don't get that code: the input is clearly not gzip encoded, so why are you reading it as such?
hmm, never heard of IBM App Scan. But when it is useful tool, it should tell you what the problem is.
If that tool is a kind of AV, then the access pattern may be the problem. Thus writing to D:\Test is maybe suspicious.
If that tool is a kind of code checker, then maybe using an arrays and streams and how you use them is suspicious.
If that tool is a kind of AV, then the access pattern may be the problem. Thus writing to D:\Test is maybe suspicious.
If that tool is a kind of code checker, then maybe using an arrays and streams and how you use them is suspicious.
The line you've marked as being flagged:
is problematic since it's not guaranteed to write it all (see DataOuputStream.writeFullyfos.write(bytes); //[b]this is the line showing as suspected one[/b]
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.