Severity: high
Type: path-traversal
Exploitable: YES
Confidence: 92%
Description
The validateSafeDirectory method uses simple string comparison on the absolute path against a hardcoded list of dangerous paths. This can be bypassed in multiple ways:
-
Symbolic links: Symlinks pointing to dangerous directories are not resolved -- a symlink at /tmp/safe -> / would pass validation but wipe the root filesystem.
-
Incomplete dangerous path list: The list does not cover /opt, /snap, /run, /mnt, /media, /srv, or Windows paths like C:\Users, D:\, etc.
-
Case-insensitive filesystem bypass: On case-insensitive filesystems (macOS HFS+, Windows NTFS), paths like /ETC or c:\windows bypass the case-sensitive comparison.
The method calls getAbsoluteFile() but never calls getCanonicalFile() which would resolve symlinks. For a disk-wiping utility, this is a meaningful safety bypass because the entire purpose of the validation is to prevent accidental destruction of system directories.
Location
/home/sfloess/Development/github/FlossWare/diskwipe-java/src/main/java/org/flossware/diskwipe/CleanDisk.java:61
Remediation
- Replace
new File(dirPath).getAbsoluteFile() with new File(dirPath).getCanonicalFile() to resolve symbolic links.
- Normalize path comparison to be case-insensitive on platforms where the filesystem is case-insensitive.
- Expand the dangerous paths list to include
/opt, /snap, /run, /mnt, /media, /srv, and additional Windows drive letters and directories.
- Consider using a whitelist approach instead (only allow specific safe mount points).
Impact Score
100
This issue was automatically generated by security audit workflow.
Severity: high
Type: path-traversal
Exploitable: YES
Confidence: 92%
Description
The validateSafeDirectory method uses simple string comparison on the absolute path against a hardcoded list of dangerous paths. This can be bypassed in multiple ways:
Symbolic links: Symlinks pointing to dangerous directories are not resolved -- a symlink at
/tmp/safe -> /would pass validation but wipe the root filesystem.Incomplete dangerous path list: The list does not cover
/opt,/snap,/run,/mnt,/media,/srv, or Windows paths likeC:\Users,D:\, etc.Case-insensitive filesystem bypass: On case-insensitive filesystems (macOS HFS+, Windows NTFS), paths like
/ETCorc:\windowsbypass the case-sensitive comparison.The method calls
getAbsoluteFile()but never callsgetCanonicalFile()which would resolve symlinks. For a disk-wiping utility, this is a meaningful safety bypass because the entire purpose of the validation is to prevent accidental destruction of system directories.Location
/home/sfloess/Development/github/FlossWare/diskwipe-java/src/main/java/org/flossware/diskwipe/CleanDisk.java:61Remediation
new File(dirPath).getAbsoluteFile()withnew File(dirPath).getCanonicalFile()to resolve symbolic links./opt,/snap,/run,/mnt,/media,/srv, and additional Windows drive letters and directories.Impact Score
100
This issue was automatically generated by security audit workflow.