PropertyUtil.fromFile lacks path traversal validation

[sfloess]

Summary

The PropertyUtil.fromFile(File) and PropertyUtil.fromFile(String) methods at lines 144-163 create FileInputStream from user-supplied file paths without any path traversal validation.

Severity

High - CWE-22 (Path Traversal)

Vulnerability Details

File: /home/sfloess/Development/github/FlossWare/commons-java/src/main/java/org/flossware/commons/util/PropertyUtil.java

Lines: 144-163

Issue: An attacker could call PropertyUtil.fromFile("../../../etc/passwd") to read arbitrary files on the system outside the intended directory scope.

Current Code

The methods create file streams without validation:

• fromFile(File file) - directly uses the File object
• fromFile(String fileName) - converts String to File without validation

Recommended Fix

The code should validate file paths using FileUtil.validatePathTraversal() before opening streams, or document that callers are responsible for validation.

Option 1: Add validation (recommended)

public static Properties fromFile(String fileName) {
    FileUtil.validatePathTraversal(fileName); // Add this
    return fromFile(new File(fileName));
}

Option 2: Document caller responsibility
Add JavaDoc warning that callers must validate paths if accepting user input.

Impact

This vulnerability could allow:

• Reading sensitive configuration files
• Information disclosure
• Potential privilege escalation if combined with other vulnerabilities

References

• CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
• OWASP: https://owasp.org/www-community/attacks/Path_Traversal
• Related: FileUtil already has path traversal protection (CWE-22) - this should be consistent