Avoid path traversal

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: csharp-security/path-traversal

Language: C#

Severity: Error

Category: Security

CWE: 22

Description

No description found

Non-Compliant Code Examples

using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Http;
using System.IO;
using System.Web;
using System.Text;

namespace Controllers
{
    public class VulnerableController : Controller
    {
        private readonly string _rootPath;

        public VulnerableController(string rootPath)
        {
            _rootPath = rootPath;
        }

        [HttpPost("/path-test")]
        public IActionResult Post()
        {
            // Get parameter from cookies
            string param = "defaultValue";
            if (Request.Cookies != null)
            {
                foreach (var cookie in Request.Cookies)
                {
                    if (cookie.Key.Equals("TestCookie"))
                    {
                        param = HttpUtility.UrlDecode(cookie.Value, Encoding.UTF8);
                        break;
                    }
                }
            }

            // Vulnerable: User input directly in Path.Combine
            string fileName = Path.Combine(_rootPath, "files", param);
            
            // Use the unsafe value
            FileStream fs = null;
            try
            {
                fs = new FileStream(fileName, FileMode.Open);
                // Read file...
            }
            catch (Exception e)
            {
                // Handle error...
            }
            finally
            {
                fs?.Close();
            }

            return Ok();
        }
    }
}

Compliant Code Examples

using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Http;
using System.IO;
using System.Web;
using System.Text;

namespace Controllers
{
    public class SafeController : Controller
    {
        [HttpPost("/path-test")]
        public IActionResult Post()
        {
            // Get parameter from cookies
            string param = "defaultValue";
            if (Request.Cookies != null)
            {
                foreach (var cookie in Request.Cookies)
                {
                    if (cookie.Key.Equals("TestCookie"))
                    {
                        param = HttpUtility.UrlDecode(cookie.Value, Encoding.UTF8);
                        break;
                    }
                }
            }

            // Safe: Uses ternary that always evaluates to a constant
            string filePath = (7 * 18) + 106 > 200 ? "safe_constant_filename" : param;

            // Use the safe value
            FileStream fs = null;
            try
            {
                string fullPath = Constants.FILES_DIR + filePath;
                fs = new FileStream(fullPath, FileMode.Open);
                // Read file...
            }
            catch (Exception e)
            {
                // Handle error...
            }
            finally
            {
                fs?.Close();
            }

            return Ok();
        }
    }

    public static class Constants
    {
        public static string FILES_DIR = "files/";
    }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Integraciones sin problemas. Prueba Datadog Code Security

Datadog Code Security
PREVIEWING: yuqing.bian/fix-sources-searchterm