Severity: high
Type: path-traversal
Exploitable: YES
Confidence: 88%
Description
validateSafeDirectory() uses File.getAbsoluteFile() to resolve the path but does not resolve symlinks (no File.getCanonicalPath() or Path.toRealPath()). An attacker or user could create a symlink at a seemingly safe path that points to a dangerous location such as /etc or /var. The validation would pass because the symlink path itself does not match any entry in DANGEROUS_PATHS, but File.createTempFile() in FileWorker will follow the symlink and write to the dangerous target directory.
This was confirmed as a genuine vulnerability across all three analysis perspectives. The severity is high because it directly bypasses the safety guard designed to prevent destructive writes to system directories.
Location: /home/sfloess/Development/github/FlossWare/diskwipe-java/src/main/java/org/flossware/diskwipe/CleanDisk.java:61
Remediation
Replace File.getAbsoluteFile().getPath() with new File(dirPath).getCanonicalPath() (or use java.nio.file.Path.toRealPath()) to resolve all symlinks before checking against DANGEROUS_PATHS. This ensures the validation operates on the true physical path.
Impact Score: 100
Severity: high
Type: path-traversal
Exploitable: YES
Confidence: 88%
Description
validateSafeDirectory()usesFile.getAbsoluteFile()to resolve the path but does not resolve symlinks (noFile.getCanonicalPath()orPath.toRealPath()). An attacker or user could create a symlink at a seemingly safe path that points to a dangerous location such as/etcor/var. The validation would pass because the symlink path itself does not match any entry inDANGEROUS_PATHS, butFile.createTempFile()inFileWorkerwill follow the symlink and write to the dangerous target directory.This was confirmed as a genuine vulnerability across all three analysis perspectives. The severity is high because it directly bypasses the safety guard designed to prevent destructive writes to system directories.
Location:
/home/sfloess/Development/github/FlossWare/diskwipe-java/src/main/java/org/flossware/diskwipe/CleanDisk.java:61Remediation
Replace
File.getAbsoluteFile().getPath()withnew File(dirPath).getCanonicalPath()(or usejava.nio.file.Path.toRealPath()) to resolve all symlinks before checking againstDANGEROUS_PATHS. This ensures the validation operates on the true physical path.Impact Score: 100