How to fix Absolute Path Traversal in MavenWrapperDownloader.java

1.1k Views Asked by marhg At 19 April 2025 at 15:28

After a security scan, I get the error Absolute Path Traversal in the file:

https://github.com/takari/maven-wrapper/blob/master/.mvn/wrapper/MavenWrapperDownloader.java

Line 50: File baseDirectory = new File(args[0]);

The MavenWrapperDownloader.java belong actually to apache ... is there a new version of the file from where I will not get an error?

One option I found (https://portswigger.net/web-security/file-path-traversal) is to use

File file = new File(BASE_DIRECTORY, userInput);
if (file.getCanonicalPath().startsWith(BASE_DIRECTORY)) {
    // process file
}

But in the java class they are already checking:

File mavenWrapperPropertyFile = new File(baseDirectory, MAVEN_WRAPPER_PROPERTIES_PATH);
        String url = DEFAULT_DOWNLOAD_URL;
        if(mavenWrapperPropertyFile.exists()) {
...

Any suggestions?

Original Q&A

There are 1 best solutions below

Clover On 27 December 2022 at 14:15

For me, the below code worked which is part of Apache commons IO

FilenameUtils.normalize(baseDirectory)

import org.apache.commons.io.FilenameUtils;
...

File mavenWrapperPropertyFile = new File(FilenameUtils.normalize(baseDirectory), MAVEN_WRAPPER_PROPERTIES_PATH);
        String url = DEFAULT_DOWNLOAD_URL;
        if(mavenWrapperPropertyFile.exists()) {
    ...

How to fix Absolute Path Traversal in MavenWrapperDownloader.java

There are 1 best solutions below

Related Questions in JAVA

Related Questions in MAVEN

Related Questions in MAVEN-WRAPPER

Trending Questions

Popular # Hahtags

Popular Questions