Deprecated ensureFileExists methods lack path traversal protection

[sfloess]

Severity

High

Location

• File: src/main/java/org/flossware/commons/util/FileUtil.java
• Lines: 304-325
• Methods: ensureFileExists(File), ensureFileExists(String)

Description

The deprecated ensureFileExists(File) and ensureFileExists(String) methods do not validate against path traversal attacks (CWE-22). Malicious inputs like ../../../etc/passwd would be processed without validation.

While validatePathTraversal() methods exist in the same class for modern NIO.2 Path-based APIs, these deprecated File-based methods remain vulnerable until removed in v2.0.

Impact

Applications using these deprecated methods could be vulnerable to path traversal attacks, allowing attackers to access or create files outside the intended directory.

Affected Code

@Deprecated(since = "1.22", forRemoval = true)
public static File ensureFileExists(final File file) throws IOException {
    // No path traversal validation
}

@Deprecated(since = "1.22", forRemoval = true)
public static File ensureFileExists(final String fileName) throws IOException {
    // No path traversal validation
}

Recommendation

1. Short-term: Add path traversal validation to deprecated methods to protect users still on v1.x
2. Long-term: Remove in v2.0 as planned (already marked forRemoval = true)

References

• CWE-22: Improper Limitation of a Pathname to a Restricted Directory
• OWASP Path Traversal: https://owasp.org/www-community/attacks/Path_Traversal
• Related PR: Path traversal protection was added to NIO.2 methods but not backported to deprecated File-based methods

Related

• Deprecation timeline: v1.x maintenance, v2.0 removal
• See CLAUDE.md deprecation policy