How to Fix Veracode External Control of file name or path — CWE ID 73

In this tutorial we will learn how to fix Directory traversal Veracode issue.

How does Veracode Static Analysis look for it?

In general Veracode Static Analysis reports this flaw when:

1. It searches your binaries for methods that operate on files (like “new File”).
2. It traces every input into the filename to an application entry point.
   Note that this can be from an HTTP request, user supplied data or from a file or database query.
3. If it can find such a path it will open a flaw.

How can I fix it?

File f = new File("config.properties");

Read the file path from Yml or properties file instead of DB.