CVE-2020-17xx8
Bookmarked!This challenge covers the review of a CVE and its patch
The Code Review Patch challenges are designed to help you identify vulnerabilities by reviewing both the original and patched code. Initially, you are encouraged to find the issue on your own without looking at the provided patch. This practice helps in honing your code review skills and understanding the common patterns that lead to vulnerabilities.
In this particular challenge, you will be analyzing the FileUploadHandler.java
file from the Apache Flink project. The focus is on identifying the line where the value is retrieved. The accompanying patch file, cve-2020-17xx8.diff
, provides the necessary corrections to the code. The patch demonstrates a security fix by wrapping a file instantiation to remove any path information, ensuring that only the filename is considered. This is a preventive measure against path traversal vulnerabilities.