Security Issue - Unvalidated Characters in Locale Yaml File Path
EarthCitizen opened this issue · 0 comments
EarthCitizen commented
In the method below, in the Faker
class, the contents of the value locale
are not validated. This came up in a security scan (http://cwe.mitre.org/data/definitions/73.html). Though not extremely likely, a malicious locale
could contain something like: ../../../../../etc
. I think the solution here is simply to verify that locale
matches something like [a-zA-Z](-[a-zA-Z][a-zA-Z]+)?
, and if not, throw IllegalArgumentException
.
private InputStream getDataInputStream(String locale) {
InputStream input = getClass().getClassLoader()
.getResourceAsStream("locales/" + locale + ".yml");
try {
if (input != null && input.available() != 0) {
return input;
}
} catch (IOException e) {
}
throw new IllegalArgumentException("Unavailable locale \'" + locale + "\'");
}