Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible false positive "Uncontrolled data used in path expression" still after stripping path from input. #18225

Open
valuator18 opened this issue Dec 5, 2024 · 0 comments
Open

Possible false positive "Uncontrolled data used in path expression" still after stripping path from input. #18225

valuator18 opened this issue Dec 5, 2024 · 0 comments
Labels
false-positive

Comments

@valuator18
Copy link

The .NET System.IO.Path.GetFileName will take a path, relative or otherwise, and return only the filename part. I am using this to sanitize the input to a Download action that serves files from a hardcoded folder. The initial code looked like this, which is in fact vulnerable:

[HttpGet]
public IActionResult Download(string fileName)
{
        string filesDir = "Files\\FilesToServe";
        string filePath = Path.Combine(filesDir, fileName);

        if (System.IO.File.Exists(filePath))
        {
            FileStream fs = new FileStream(filePath, FileMode.Open);

            return File(fs, "text/plain", fileName);
        }

        return NotFound();
}

Corrective action was taken so that only a file name with no additional path will be used to look for the file:

[HttpGet]
public IActionResult Download(string fileName)
{
        string strippedFileName = Path.GetFileName(fileName);
        string filesDir = "Files\\FilesToServe";
        string filePath = Path.Combine(filesDir, strippedFileName);

        if (System.IO.File.Exists(filePath))
        {
            FileStream fs = new FileStream(filePath, FileMode.Open);

            return File(fs, "text/plain", strippedFileName);
        }

        return NotFound();
}

This still detects "Uncontrolled data used in path expression (cs/path-injection)" for filePath even though it has been tested to no longer serve files outside of filesDir when passing in parameters such as "../../../FileThatShouldntBeServed.txt".
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
false-positive
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@valuator18