Skip to content

Comments

JFMIG - Fix #Artifacts are intermittently being overridden during tra…#1518

Merged
amithins merged 1 commit intojfrog:masterfrom
amithins:master
Feb 2, 2026
Merged

JFMIG - Fix #Artifacts are intermittently being overridden during tra…#1518
amithins merged 1 commit intojfrog:masterfrom
amithins:master

Conversation

@amithins
Copy link
Collaborator

@amithins amithins commented Jan 30, 2026

…nsfer resulting in artifacts being moved to trashcan

  • [*] All tests passed. If this feature is not already covered by the tests, I added new tests.
  • [*] All static analysis checks passed.
  • [*] This pull request is on the master branch.
  • [*] I used gofmt for formatting the code before submitting the pull request.

@amithins
JFMIG - Fix #Artifacts are intermittently being overridden during tra…
4d6ae3d 
…nsfer resulting in artifacts being moved to trashcan
@github-actions
Copy link
Contributor

github-actions bot commented Feb 2, 2026

🚨 Frogbot scanned this pull request and found the below:

📗 Scan Summary

  • Frogbot scanned for vulnerabilities and found 3 issues
Scan Category Status Security Issues
Software Composition Analysis ℹ️ Not Scanned -
Contextual Analysis ✅ Done -
Static Application Security Testing (SAST) ✅ Done
3 Issues Found 1 Medium
2 Low
Secrets ✅ Done -
Infrastructure as Code (IaC) ✅ Done Not Found

@github-actions
Copy link
Contributor

github-actions bot commented Feb 2, 2026 

os.Create(filepath.Join(transferDir, StopFileName))

at artifactory/commands/transferfiles/transfer.go (line 765)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored input used in file paths, allowing access to unintended files.
Full description

Vulnerability Details
Rule ID: go-stored-path-traversal

Overview

Stored Path Traversal is a type of vulnerability that arises when user-controlled
input, such as file names or paths, is stored by the application and later used
without proper validation or sanitization to perform file operations. This can
allow an attacker to traverse directories and access or overwrite sensitive files
on the filesystem, potentially compromising the security and integrity of the
application or system.

Vulnerable example

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = 12")
    row.Scan(&filePath)
    http.ServeFile(w, r, filePath)
}

In this example, the serveFile function serves a file based on the file query
parameter provided by the user. However, in a real-world scenario, the filePath
variable might be retrieved from a stored source, such as a database or configuration
file, instead of being directly obtained from the request URL. The vulnerability
arises if the stored filePath is not properly validated or sanitized before being
used to serve files. Attackers could manipulate the stored filePath to perform
directory traversal attacks, potentially accessing sensitive files outside the
intended directory structure.

Remediation

To mitigate stored path traversal vulnerabilities, it is essential to validate
and sanitize user-controlled input before using it to construct file paths or
perform file operations. In this example, we can validate the file name to ensure
it does not contain directory traversal sequences before serving the file.

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = ?", r.URL.Query().Get("id"))
    row.Scan(&filePath)
+    // Validate file path to prevent directory traversal
+    if strings.Contains(filePath, "..") {
+        http.Error(w, "Invalid file path", http.StatusBadRequest)
+        return
+    }
    http.ServeFile(w, r, filePath)
}
Code Flows
Vulnerable data flow analysis result

↘️ os.Getenv(HomeDir) (at utils/coreutils/utils.go line 312)

↘️ return os.Getenv(HomeDir), nil (at utils/coreutils/utils.go line 312)

↘️ (string, error) (at utils/coreutils/utils.go line 310)

↘️ GetJfrogHomeDir() (at utils/coreutils/utils.go line 589)

↘️ homeDir (at utils/coreutils/utils.go line 589)

↘️ homeDir (at utils/coreutils/utils.go line 593)

↘️ filepath.Join(homeDir, JfrogTransferDirName) (at utils/coreutils/utils.go line 593)

↘️ return filepath.Join(homeDir, JfrogTransferDirName), nil (at utils/coreutils/utils.go line 593)

↘️ (string, error) (at utils/coreutils/utils.go line 588)

↘️ coreutils.GetJfrogTransferDir() (at artifactory/commands/transferfiles/transfer.go line 752)

↘️ transferDir (at artifactory/commands/transferfiles/transfer.go line 752)

↘️ transferDir (at artifactory/commands/transferfiles/transfer.go line 765)

↘️ filepath.Join(transferDir, StopFileName) (at artifactory/commands/transferfiles/transfer.go line 765)

↘️ os.Create(filepath.Join(transferDir, StopFileName)) (at artifactory/commands/transferfiles/transfer.go line 765)

@github-actions
Copy link
Contributor

github-actions bot commented Feb 2, 2026 

transferDir

at artifactory/commands/transferfiles/transfer.go (line 757)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
low
Low		 Untrusted stored input used in file paths, allowing access to unintended files.
Full description

Vulnerability Details
Rule ID: go-stored-path-traversal

Overview

Stored Path Traversal is a type of vulnerability that arises when user-controlled
input, such as file names or paths, is stored by the application and later used
without proper validation or sanitization to perform file operations. This can
allow an attacker to traverse directories and access or overwrite sensitive files
on the filesystem, potentially compromising the security and integrity of the
application or system.

Vulnerable example

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = 12")
    row.Scan(&filePath)
    http.ServeFile(w, r, filePath)
}

In this example, the serveFile function serves a file based on the file query
parameter provided by the user. However, in a real-world scenario, the filePath
variable might be retrieved from a stored source, such as a database or configuration
file, instead of being directly obtained from the request URL. The vulnerability
arises if the stored filePath is not properly validated or sanitized before being
used to serve files. Attackers could manipulate the stored filePath to perform
directory traversal attacks, potentially accessing sensitive files outside the
intended directory structure.

Remediation

To mitigate stored path traversal vulnerabilities, it is essential to validate
and sanitize user-controlled input before using it to construct file paths or
perform file operations. In this example, we can validate the file name to ensure
it does not contain directory traversal sequences before serving the file.

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = ?", r.URL.Query().Get("id"))
    row.Scan(&filePath)
+    // Validate file path to prevent directory traversal
+    if strings.Contains(filePath, "..") {
+        http.Error(w, "Invalid file path", http.StatusBadRequest)
+        return
+    }
    http.ServeFile(w, r, filePath)
}
Code Flows
Vulnerable data flow analysis result

↘️ os.Getenv(HomeDir) (at utils/coreutils/utils.go line 312)

↘️ return os.Getenv(HomeDir), nil (at utils/coreutils/utils.go line 312)

↘️ (string, error) (at utils/coreutils/utils.go line 310)

↘️ GetJfrogHomeDir() (at utils/coreutils/utils.go line 589)

↘️ homeDir (at utils/coreutils/utils.go line 589)

↘️ homeDir (at utils/coreutils/utils.go line 593)

↘️ filepath.Join(homeDir, JfrogTransferDirName) (at utils/coreutils/utils.go line 593)

↘️ return filepath.Join(homeDir, JfrogTransferDirName), nil (at utils/coreutils/utils.go line 593)

↘️ (string, error) (at utils/coreutils/utils.go line 588)

↘️ coreutils.GetJfrogTransferDir() (at artifactory/commands/transferfiles/transfer.go line 752)

↘️ transferDir (at artifactory/commands/transferfiles/transfer.go line 752)

↘️ transferDir (at artifactory/commands/transferfiles/transfer.go line 757)

@github-actions
Copy link
Contributor

github-actions bot commented Feb 2, 2026 

transferDir

at artifactory/commands/transferfiles/transfer.go (line 765)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
low
Low		 Untrusted stored input used in file paths, allowing access to unintended files.
Full description

Vulnerability Details
Rule ID: go-stored-path-traversal

Overview

Stored Path Traversal is a type of vulnerability that arises when user-controlled
input, such as file names or paths, is stored by the application and later used
without proper validation or sanitization to perform file operations. This can
allow an attacker to traverse directories and access or overwrite sensitive files
on the filesystem, potentially compromising the security and integrity of the
application or system.

Vulnerable example

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = 12")
    row.Scan(&filePath)
    http.ServeFile(w, r, filePath)
}

In this example, the serveFile function serves a file based on the file query
parameter provided by the user. However, in a real-world scenario, the filePath
variable might be retrieved from a stored source, such as a database or configuration
file, instead of being directly obtained from the request URL. The vulnerability
arises if the stored filePath is not properly validated or sanitized before being
used to serve files. Attackers could manipulate the stored filePath to perform
directory traversal attacks, potentially accessing sensitive files outside the
intended directory structure.

Remediation

To mitigate stored path traversal vulnerabilities, it is essential to validate
and sanitize user-controlled input before using it to construct file paths or
perform file operations. In this example, we can validate the file name to ensure
it does not contain directory traversal sequences before serving the file.

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = ?", r.URL.Query().Get("id"))
    row.Scan(&filePath)
+    // Validate file path to prevent directory traversal
+    if strings.Contains(filePath, "..") {
+        http.Error(w, "Invalid file path", http.StatusBadRequest)
+        return
+    }
    http.ServeFile(w, r, filePath)
}
Code Flows
Vulnerable data flow analysis result

↘️ os.Getenv(HomeDir) (at utils/coreutils/utils.go line 312)

↘️ return os.Getenv(HomeDir), nil (at utils/coreutils/utils.go line 312)

↘️ (string, error) (at utils/coreutils/utils.go line 310)

↘️ GetJfrogHomeDir() (at utils/coreutils/utils.go line 589)

↘️ homeDir (at utils/coreutils/utils.go line 589)

↘️ homeDir (at utils/coreutils/utils.go line 593)

↘️ filepath.Join(homeDir, JfrogTransferDirName) (at utils/coreutils/utils.go line 593)

↘️ return filepath.Join(homeDir, JfrogTransferDirName), nil (at utils/coreutils/utils.go line 593)

↘️ (string, error) (at utils/coreutils/utils.go line 588)

↘️ coreutils.GetJfrogTransferDir() (at artifactory/commands/transferfiles/transfer.go line 752)

↘️ transferDir (at artifactory/commands/transferfiles/transfer.go line 752)

↘️ transferDir (at artifactory/commands/transferfiles/transfer.go line 765)

@amithins amithins merged commit cec5fd7 into jfrog:master Feb 2, 2026
10 of 12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@deepakkjfrog deepakkjfrog deepakkjfrog approved these changes

Assignees

No one assigned

Labels

safe-to-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@amithins @deepakkjfrog