This page is not yet available in Spanish. We are working on its translation. If you have any questions or feedback about our current translation project, feel free to reach out to us!
The rule “Avoid path traversal” is crucial to prevent unauthorized file access and potential data breaches in your application. Path traversal vulnerabilities occur when an attacker is able to manipulate a file path used in an operation, typically with ‘..’ sequences, to access files outside of the intended directory. This can lead to sensitive data exposure, unauthorized data modification or even code execution in some cases.
It is important because an attacker could potentially read, write, or delete sensitive files on the server, leading to a serious breach of data security. The severity of a path traversal attack can vary from information disclosure to complete system compromise depending on the system privileges of the application being attacked.
How to remediate
Never use user input to form a file path, always use constant or server-generated values. If user input must be used in file paths, it should be properly sanitized to remove any ‘..’ sequences or similar path navigation constructs. Also, using a whitelist of acceptable inputs is a strong defensive option. Always adhere to the principle of least privilege when setting access permissions for files and directories.
Non-Compliant Code Examples
usingMicrosoft.AspNetCore.Mvc;usingMicrosoft.AspNetCore.Http;usingSystem.IO;usingSystem.Web;usingSystem.Text;namespaceControllers{publicclassVulnerableController:Controller{privatereadonlystring_rootPath;publicVulnerableController(stringrootPath){_rootPath=rootPath;} [HttpPost("/path-test")]publicIActionResultPost(){// Get parameter from cookiesstringparam="defaultValue";if(Request.Cookies!=null){foreach(varcookieinRequest.Cookies){if(cookie.Key.Equals("TestCookie")){param=HttpUtility.UrlDecode(cookie.Value,Encoding.UTF8);break;}}}// Vulnerable: User input directly in Path.CombinestringfileName=Path.Combine(_rootPath,"files",param);// Use the unsafe valueFileStreamfs=null;try{fs=newFileStream(fileName,FileMode.Open);// Read file...}catch(Exceptione){// Handle error...}finally{fs?.Close();}returnOk();}}}
Compliant Code Examples
usingMicrosoft.AspNetCore.Mvc;usingMicrosoft.AspNetCore.Http;usingSystem.IO;usingSystem.Web;usingSystem.Text;namespaceControllers{publicclassSafeController:Controller{ [HttpPost("/path-test")]publicIActionResultPost(){// Get parameter from cookiesstringparam="defaultValue";if(Request.Cookies!=null){foreach(varcookieinRequest.Cookies){if(cookie.Key.Equals("TestCookie")){param=HttpUtility.UrlDecode(cookie.Value,Encoding.UTF8);break;}}}// Safe: Uses ternary that always evaluates to a constantstringfilePath=(7*18)+106>200?"safe_constant_filename":param;// Use the safe valueFileStreamfs=null;try{stringfullPath=Constants.FILES_DIR+filePath;fs=newFileStream(fullPath,FileMode.Open);// Read file...}catch(Exceptione){// Handle error...}finally{fs?.Close();}returnOk();}}publicstaticclassConstants{publicstaticstringFILES_DIR="files/";}}
Integraciones sin problemas. Prueba Datadog Code Security
Datadog Code Security
Prueba esta regla y analiza tu código con Datadog Code Security
Cómo usar esta regla
1
2
rulesets:- csharp-security # Rules to enforce C# security.
Crea un static-analysis.datadog.yml con el contenido anterior en la raíz de tu repositorio
Utiliza nuestros complementos del IDE gratuitos o añade análisis de Code Security a tus pipelines de CI.
