Java Snippet #06
Bookmarked!This challenge covers the review of a snippet of code written in Java
The Code Review Snippet challenge in question focuses on a Java class named Proxy
that fetches data from a given URL. The method get(String uri)
initializes a URL object from the provided uri
, opens a stream to read data, and returns the data as a string. However, this implementation has a critical security vulnerability.
The vulnerability lies in the fact that the method does not validate the uri
scheme. This allows an attacker to supply a file://
URL, enabling the reading of any local file on the server, such as sensitive configuration files or /etc/passwd
. This flaw exposes the server to arbitrary local file read attacks, jeopardizing the confidentiality of the server’s data.