How to prevent Cross-site scripting (XSS) vulnerability on FtpWebRequest?

Question

I am uploading a file to server using FtpWebRequest. Bu it causes critical Cross-site scripting (XSS) vulnerability. This file contents is import and I need to upload as is. How could I fix this issue?

The method sends unvalidated data to a web browser on line 1274, which can result in the browser executing malicious code.

StringBuilder sb = new StringBuilder();
sb.AppendLine(...);
.
.
.
byte[] data = Encoding.Default.GetBytes(sb.ToString());
FtpWebRequest requestUpload = (FtpWebRequest)WebRequest.Create(ftpPath);
requestUpload.Proxy = new WebProxy();
requestUpload.KeepAlive = false;
requestUpload.EnableSsl = true;
    
System.Net.ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;
requestUpload.Credentials = new NetworkCredential(ftpUser, ftpPassword);
requestUpload.Method = WebRequestMethods.Ftp.UploadFile;
using (Stream requestStream = requestUpload.GetRequestStream())
{
   requestStream.Write(data, 0, data.Length);
}
FtpWebResponse response = (FtpWebResponse)requestUpload.GetResponse();

The line 1274 is the call to requestStream.Write.

Answer 1

That code line does not send any data to a web browser.

To me it seems like a false warning.

---

That does not mean that the code cannot cause XSS vulnerability. But that depends on what file are you transferring and where to. I just do not think it is likely. And I do not think that the analyzer (whichever it is) has any grounds of claiming that.

Answer 2

You need to validate your file and place appropriate restrictions on it. The two most appropriate restrictions are size and type.

You should limit the size to something that is appropriate for your scenario i.e. the max file size you would someone should need to upload.

You should limit the file type to a selection of types that do not include executable files e.g. CSV, PDF.

You can use custom validation attributes to handle the validation.