False positive: Path traversal attack detected #750
Comments
|
Did you solve this bug? |
|
@Nurlyy In the end I wouldn't cal it a bug. It is simply a misleading logging text that emphasizes the path traversal attack part and disconnects the invalid file-name part. I created a PR that in my opinions improves those logging messages in a way that the Jadx users not stop reading on the "path traversal" part. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
While decompiling the latest Facbook Messenger app com.facebook.orca_230.0.0.12.117 (169378234) I encountered an messages on path traversal attacks that looks like a false positive:
It seems that the path traversal detection system does not work reliable on Windows in case the file name starts with a
con(which is a reserved word on Windows and can't therefore be used as a file name).The canonical value of a path containing such a file always is converted to
\\.\con.From my understanding this may be a bug in Java (tested with Oracle Java 1.8 and OpenJDK 11.0.4).
Is there anything we can do about this?
The text was updated successfully, but these errors were encountered: