PTFix: Rule-Based and LLM Techniques for Java Path Traversal Vulnerability | SpringerLink
Skip to main content
Springer Nature Link
Log in

PTFix: Rule-Based and LLM Techniques for Java Path Traversal Vulnerability

  • Conference paper
  • First Online:
Data Security and Privacy Protection (DSPP 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 15215))

Included in the following conference series:

  • 72 Accesses

Abstract

Path Traversal Vulnerability is a significant security flaw that allows attackers to exploit the file system structure of web applications by manipulating user input to access files outside the intended directory structure. This vulnerability can lead to unauthorized access to sensitive files and directories, resulting in severe consequences such as information disclosure, data manipulation, and system compromise. Despite its high likelihood of exploitation, as ranked eighth in the 2023 CWE Top 25 Most Dangerous Software Weaknesses, automated repair methods for this vulnerability, particularly in Java, remain underdeveloped. This paper introduces a methodology, named PTFix, which is a rule-based and LLM technique for repairing Java Path Traversal vulnerability. PTFix includes two stages: 1) analyze and patch Java path traversal vulnerability based on pre-defined rules; 2) integrate with LLMs to patch Java codes that do not match the rule. A comparative study was conducted using four large language models: Meta Llama2 7B, Codellama Instruct 34B, Claude3, and ChatGPT-4. The results revealed that while Meta Llama2 7B and Codellama Instruct 34B failed to correctly fix any examples, Claude3 successfully repaired two instances, and ChatGPT-4 outperformed the other models by correctly repairing four examples. These findings highlight the potential of combining static rule-based methods with LLMs to improve the automated repair of path traversal vulnerabilities in Java applications.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
JPY 3498
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
JPY 17159
Price includes VAT (Japan)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
JPY 21449
Price includes VAT (Japan)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. 2023 stubborn weaknesses in the CWE top 25. https://cwe.mitre.org/top25/archive/2023/2023_stubborn_weaknesses.html. Accessed 13 June 2024

  2. GPT-4. https://openai.com/index/gpt-4/. Accessed 13 June 2024

  3. Meta code llama. https://llama.meta.com/code-llama/. Accessed 13 June 2024

  4. Meta code llama. https://www.anthropic.com/news/claude-3-family. Accessed 13 June 2024

  5. Meta llama 2. https://llama.meta.com/llama2/. Accessed 13 June 2024

  6. National vulnerability database. https://nvd.nist.gov/. Accessed 13 June 2024

  7. Path traversal (2024). https://www.synopsys.com/glossary/what-is-path-traversal.html. Accessed 13 June 2024

  8. Adamsen, C.Q., Møller, A., Karim, R., Sridharan, M., Tip, F., Sen, K.: Repairing event race errors by controlling nondeterminism. In: 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE) (2017)

    Google Scholar 

  9. Ahmed, C.F., Tanbeer, S.K., Jeong, B.S., Lee, Y.K.: Efficient mining of utility-based web path traversal patterns. In: 2009 11th International Conference on Advanced Communication Technology, vol. 3, pp. 2215–2218. IEEE (2009)

    Google Scholar 

  10. Banerjee, A., Chong, L.K., Ballabriga, C., Roychoudhury, A.: EnergyPatch: repairing resource leaks to improve energy-efficiency of android apps. IEEE Trans. Software Eng. 44(5), 470–490 (2017)

    Article  Google Scholar 

  11. Bhandari, G., Naseer, A., Moonen, L.: CVEfixes: automated collection of vulnerabilities and their fixes from open-source software. In: Proceedings of the 17th International Conference on Predictive Models and Data Analytics in Software Engineering, pp. 30–39 (2021)

    Google Scholar 

  12. Chen, Z., Kommrusch, S., Monperrus, M.: Neural transfer learning for repairing security vulnerabilities in C code. IEEE Trans. Software Eng. 49(1), 147–165 (2022)

    Article  Google Scholar 

  13. Cheng, X., Zhou, M., Song, X., Gu, M., Sun, J.: IntPTI: automatic integer error repair with proper-type inference. In: 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 996–1001. IEEE (2017)

    Google Scholar 

  14. Chi, J., Qu, Y., Liu, T., Zheng, Q., Yin, H.: SeqTrans: automatic vulnerability fix via sequence to sequence learning. IEEE Trans. Software Eng. 49(2), 564–585 (2022)

    Article  Google Scholar 

  15. Flanders, M.: A simple and intuitive algorithm for preventing directory traversal attacks. arXiv preprint arXiv:1908.04502 (2019)

  16. Fu, M., Tantithamthavorn, C., Le, T., Nguyen, V., Phung, D.: Vulrepair: a T5-based automated software vulnerability repair. In: Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp. 935–947 (2022)

    Google Scholar 

  17. Gao, Q., et al.: Safe memory-leak fixing for C programs. In: 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, vol. 1, pp. 459–470. IEEE (2015)

    Google Scholar 

  18. Github: Github - PTFix (2024). https://github.com/DarylZhang/PTFix/tree/develop

  19. Goues, C.L., Pradel, M., Roychoudhury, A.: Automated program repair. Commun. ACM 62(12), 56–65 (2019)

    Article  Google Scholar 

  20. Hou, L., Kwok, J.T.: Loss-aware weight quantization of deep networks. arXiv preprint arXiv:1802.08635 (2018)

  21. Huang, K., et al.: A survey on automated program repair techniques. arXiv preprint arXiv:2303.18184 (2023)

  22. Huang, Z., Lie, D., Tan, G., Jaeger, T.: Using safety properties to generate vulnerability patches. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 539–554. IEEE (2019)

    Google Scholar 

  23. Islam, N.T., Najafirad, P.: Code security vulnerability repair using reinforcement learning with large language models. arXiv preprint arXiv:2401.07031 (2024)

  24. Jin, G., Song, L., Zhang, W., Lu, S., Liblit, B.: Automated atomicity-violation fixing. In: Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 389–400 (2011)

    Google Scholar 

  25. Jin, M., et al.: InferFix: End-to-end program repair with LLMs. In: Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp. 1646–1656 (2023)

    Google Scholar 

  26. Lee, J., Hong, S., Oh, H.: MemFix: static analysis-based repair of memory deallocation errors for c. In: Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp. 95–106 (2018)

    Google Scholar 

  27. Liu, K., Koyuncu, A., Kim, D., Bissyandé, T.F.: TBar: revisiting template-based automated program repair. In: Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis, pp. 31–42 (2019)

    Google Scholar 

  28. Monperrus, M.: Automatic software repair: a bibliography. ACM Comput. Surv. (CSUR) 51(1), 1–24 (2018)

    Article  Google Scholar 

  29. Park, E., Ahn, J., Yoo, S.: Weighted-entropy-based quantization for deep neural networks. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 5456–5464 (2017)

    Google Scholar 

  30. Pearce, H., Tan, B., Ahmad, B., Karri, R., Dolan-Gavitt, B.: Examining zero-shot vulnerability repair with large language models. In: 2023 IEEE Symposium on Security and Privacy (SP), pp. 2339–2356. IEEE (2023)

    Google Scholar 

  31. Selakovic, M., Pradel, M.: Poster: automatically fixing real-world JavaScript performance bugs. In: 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, vol. 2, pp. 811–812. IEEE (2015)

    Google Scholar 

  32. Sennrich, R., Haddow, B., Birch, A.: Neural machine translation of rare words with subword units. arXiv preprint arXiv:1508.07909 (2015)

  33. Shen, Z., Chen, S.: A survey of automatic software vulnerability detection, program repair, and defect prediction techniques. Secur. Commun. Netw. 2020(1), 8858010 (2020)

    Google Scholar 

  34. Tian, Y., Ray, B.: Automatically diagnosing and repairing error handling bugs in C. In: Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering, pp. 752–762 (2017)

    Google Scholar 

  35. van Tonder, R., Goues, C.L.: Static automated program repair for heap properties. In: Proceedings of the 40th International Conference on Software Engineering, pp. 151–162 (2018)

    Google Scholar 

  36. Wang, W., Wang, Y., Joty, S., Hoi, S.C.: RAP-Gen: retrieval-augmented patch generation with codet5 for automatic program repair. In: Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp. 146–158 (2023)

    Google Scholar 

  37. Wang, Y.T., Lee, A.J.: Mining web navigation patterns with a path traversal graph. Expert Syst. Appl. 38(6), 7112–7122 (2011). https://doi.org/10.1016/j.eswa.2010.12.058, https://www.sciencedirect.com/science/article/pii/S0957417410014211

  38. Winter, E., et al.: How do developers really feel about bug fixing? Directions for automatic program repair. IEEE Trans. Softw. Eng. (2022)

    Google Scholar 

  39. Wu, Y., et al.: How effective are neural networks for fixing security vulnerabilities. In: Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis, pp. 1282–1294 (2023)

    Google Scholar 

  40. Xia, C.S., Wei, Y., Zhang, L.: Automated program repair in the era of large pre-trained language models. In: 2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE), pp. 1482–1494. IEEE (2023)

    Google Scholar 

  41. Yang, D., et al.: TransplantFix: graph differencing-based code transplantation for automated program repair. In: Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering, pp. 1–13 (2022)

    Google Scholar 

  42. Yang, J., et al.: Quantization networks. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 7308–7316 (2019)

    Google Scholar 

  43. Zhang, Q., Fang, C., Ma, Y., Sun, W., Chen, Z.: A survey of learning-based automated program repair. ACM Trans. Software Eng. Methodol. 33(2), 1–69 (2023)

    Google Scholar 

  44. Zhang, Q., Fang, C., Xie, Y., Ma, Y., Sun, W., Chen, Y.Y.Z.: A systematic literature review on large language models for automated program repair. arXiv preprint arXiv:2405.01466 (2024)

  45. Zhang, Q., Fang, C., Yu, B., Sun, W., Zhang, T., Chen, Z.: Pre-trained model-based automated software vulnerability repair: how far are we? IEEE Trans. Dependable Secure Comput. (2023)

    Google Scholar 

  46. Zhang, Q., Zhao, Y., Sun, W., Fang, C., Wang, Z., Zhang, L.: Program repair: automated vs. manual. arXiv preprint arXiv:2203.05166 (2022)

  47. Zhang, Y., Xiao, Y., Kabir, M.M.A., Yao, D., Meng, N.: Example-based vulnerability detection and repair in java code. In: Proceedings of the 30th IEEE/ACM International Conference on Program Comprehension, pp. 190–201 (2022)

    Google Scholar 

  48. Zhou, A., Yao, A., Guo, Y., Xu, L., Chen, Y.: Incremental network quantization: towards lossless cnns with low-precision weights. arXiv preprint arXiv:1702.03044 (2017)

  49. Zhou, L., Liu, Y., Wang, J., Shi, Y.: Utility-based web path traversal pattern mining. In: Seventh IEEE International Conference on Data Mining Workshops (ICDMW 2007), pp. 373–380. IEEE (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Swinburne University of Technology, Melbourne, Australia

    Xiaowei Zhang, Jun Zhang & Yang Xiang

  2. CSIRO’s Data61, Sydney, Australia

    Shigang Liu

Authors
  1. Xiaowei Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shigang Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jun Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yang Xiang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Xiaowei Zhang or Shigang Liu .

Editor information

Editors and Affiliations

  1. Xidian University, Xi'an, China

    Xiaofeng Chen

  2. The Hong Kong University of Science and Technology (Guangzhou), Guangzhou, China

    Xinyi Huang

  3. Columbia University, New York, NY, USA

    Moti Yung

Rights and permissions

Reprints and permissions

Copyright information

© 2025 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Zhang, X., Liu, S., Zhang, J., Xiang, Y. (2025). PTFix: Rule-Based and LLM Techniques for Java Path Traversal Vulnerability. In: Chen, X., Huang, X., Yung, M. (eds) Data Security and Privacy Protection. DSPP 2024. Lecture Notes in Computer Science, vol 15215. Springer, Singapore. https://doi.org/10.1007/978-981-97-8540-7_17

Download citation

  • DOI: https://doi.org/10.1007/978-981-97-8540-7_17

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-97-8539-1

  • Online ISBN: 978-981-97-8540-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation