Reputation: 161
How to fix ‘Path Manipulation’ issue from Fortify scan report for tthe following code sample
I have path Manipulation problem. The following code is placed in Page_load method of ASPx page.
String rName = Request.QueryString["reportName"];
string path = "C:\\hari" + rName;
if (File.Exists(path))
{
File.Delete(path);
}
But Fortify scan report for the above sample code shows ‘Path Manipulation’ issue as high Need help to modify above code so that it can pass fortify scan
Upvotes: 5
Views: 28312
Answers (2)
Reputation: 585
Jackson is right, this is a direct File Path Manipulation vulnerability that can be fixed through indirect selection. From your known directory, list all the files. Use the value coming from your own directory list, not the user-supplied value.
String rName = Request.QueryString["reportName"];
String knownPath = "C:\\hari";
DirectoryInfo di = new DirectoryInfo(knownPath);
FileInfo[] files = di.GetFiles(rName);
if (files.length > 0)
{
files[0].Delete();
}
Upvotes: 7
Reputation: 14660
I think the problem is that someone could spoof a request with reportName = "..\\Windows\\Something important" which is clearly a security flaw. You need to change your code so that it doesn't read a partial filename from the request query string.
Upvotes: 1
Related Questions
- A Path Traversal vulnerability in asp.net core
- How do I fix SCS0018?
- HP Fortify scans get ASP Pre-Compilation error
- Fortify Path Manipulation error
- Dot net fortify Scanning
- Hp Fortify: Path Manipulation erroe
- Running fortify scan on .cs files
- Fortify - Path Manipulation
- Illegal characters in path
- Path Problem in ASP.net