Deprecated getFileInputStream methods lack path traversal protection

[sfloess]

Summary

The deprecated getFileInputStream(File) and getFileInputStream(String) methods in FileUtil.java (lines 272-293) do not perform path traversal validation, creating a potential security vulnerability.

Details

File: /home/sfloess/Development/github/FlossWare/commons-java/src/main/java/org/flossware/commons/util/FileUtil.java:272
Severity: High
CWE: CWE-22 (Path Traversal)

While these methods are marked @Deprecated(since = "1.22", forRemoval = true) and scheduled for removal in v2.0, they remain callable in the current codebase. Callers can pass arbitrary File paths including those with .. traversal sequences, potentially accessing files outside intended directories.

Security Impact

Attackers could potentially:

• Read sensitive files outside intended directories
• Bypass access controls by traversing to parent directories
• Access configuration files, credentials, or other sensitive data

Proposed Solutions

1. Add path traversal validation to the deprecated methods to match the security controls in the non-deprecated Path-based methods
2. Document the security limitation in the @deprecated JavaDoc to explicitly warn users of this vulnerability
3. Consider expediting removal of these methods given the security implications

References

• CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
• OWASP Path Traversal: https://owasp.org/www-community/attacks/Path_Traversal

Affected Methods

@Deprecated(since = "1.22", forRemoval = true)
public static FileInputStream getFileInputStream(final File file) throws IOException
  
@Deprecated(since = "1.22", forRemoval = true)
public static FileInputStream getFileInputStream(final String fileName) throws IOException