Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document "Uncontrolled data used in path expression" in file/directory path validators #899

Closed
sleberknight opened this issue Jan 31, 2023 · 0 comments · Fixed by #900
Closed
Assignees
Labels
documentation Improvements or additions to documentation
Milestone

Comments

@sleberknight
Copy link
Member

sleberknight commented Jan 31, 2023

CodeQL flagged "Uncontrolled data used in path expression" in FilePathValidator (#884) and DirectoryPathValidator (#885).

These annotations are intended to be used to validate application configuration, e.g. a Dropwizard service that needs to know where a directory is located. The file or directory location can be anywhere on a filesystem. They are not intended to be used on domain objects that come from user input, e.g. from a web application. Obviously this usage cannot be enforced. But since we cannot really place restrictions on the directory or file paths, the best thing to do is probably just document (in the Javadoc) the risks, and the intended usage of these annotations. The associated CodeQL alerts will be dismissed as "Won't Fix" and the issues closed as "Won't Fix", and reference this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Improvements or additions to documentation
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant