Security Issue - Unvalidated Characters in Locale Yaml File Path

Question

Security Issue - Unvalidated Characters in Locale Yaml File Path

EarthCitizen opened this issue 5 years ago · 0 comments

In the method below, in the Faker class, the contents of the value locale are not validated. This came up in a security scan (http://cwe.mitre.org/data/definitions/73.html). Though not extremely likely, a malicious locale could contain something like: ../../../../../etc. I think the solution here is simply to verify that locale matches something like [a-zA-Z](-[a-zA-Z][a-zA-Z]+)?, and if not, throw IllegalArgumentException.

  private InputStream getDataInputStream(String locale) {
    InputStream input = getClass().getClassLoader()
        .getResourceAsStream("locales/" + locale + ".yml");

    try {
      if (input != null && input.available() != 0) {
        return input;
      }
    } catch (IOException e) {
    }

    throw new IllegalArgumentException("Unavailable locale \'" + locale + "\'");
  }