问题描述

我有将此代码存储到服务器的代码:

I have this code that stores file to server:

function void StoreFile(string inputFileName) {
   ...

   var extension = Path.GetExtension(inputFileName);
   if(extension == ".csv") {
       var fileName = string.Format("{0}_{1}{2}", Session.SessionID, new Guid(), extension);

       var dataFileServerPath = _documentService.getPath(fileName, UserProfile.UserName, UserProfile.SourceID);

       if(!string.IsNullOrEmpty(dataFileServerPath)) {
           try {
              using(FileStream dataFile = new FileStream(dataFileServerPath, FileMode.Create))  { .... }
           }
           cathc(Exception e) { ... }    
       }
    }    
    else {
        throw new NotSupportedFormatError();
    }
}

Aftrer Veracode分析我在行FileStream dataFile = new FileStream(dataFileServerPath, FileMode.Create)

Aftrer Veracode analyze I get Directory Traverse Issue on line FileStream dataFile = new FileStream(dataFileServerPath, FileMode.Create)

为什么会出现此问题，我已经检查了文件扩展名是否对我的情况有效，并在fileName中传递了该值.这是安全问题，以及如何解决此问题?

Why am I getting this issue there, I've checked if file extension is valid for my case and passed that value in fileName. Is this security issues and how to solve this issue?

_documentService.getPath只是为特定用户添加了来自web.config的路径和文件名，与用户输入无关.

_documentService.getPath just appends path from web.config and filename for specific user, it's not related to user input.

推荐答案

根据您在此处发布的代码，这看起来像是误报.

According to the code you've posted here, that looks like a false positive.

Veracode显然正在跟踪inputFileName变量(我认为该变量包含未经验证的用户输入)，并注意到它会影响extension变量.由于您稍后将extension直接嵌入文件名中并读取指向的文件，因此Veracode看到恶意用户可能会在inputFileName中嵌入部分路径，从而改变目标文件的目录...

Veracode is apparently tracking the inputFileName variable (which I assume contains unvalidated user input), and notes that it influences the extension variable. Since you later embed extension directly into the filename, and read the file that points at, Veracode sees that it is possible that a malicious user would embed a partial path in inputFileName which would then change the directory of the target file...

在这种情况下，Veracode缺少您已经执行输入验证(extension == ".csv"检查)的事实，并且将输入的相关部分完全限制在严格的白名单中.

In this case, Veracode is missing the fact that you already performed input validation (the extension == ".csv" check), and absolutely constrained the relevant part of the input to a tight whitelist.

假设您的问题中没有其他相关的代码缺失，可以安全地将其标记为误报.

Assuming there is no other relevant bits of code missing from your question, this is safe to mark as false positive.

这篇关于Veracode目录遍历问题C#的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！