How to fix ‘Path Manipulation’ issue from Fortify scan report for tthe following code sample_问答_开发者

How to fix ‘Path Manipulation’ issue from Fortify scan report for tthe following code sample

开发者 https://www.devze.com 2023-02-06 00:30 出处：网络

I have path Manipulation problem. The following code is placed in Page_load method of ASPx page. 开发者_如何转开发String rName = Request.QueryString[\"reportName\"];

相关专题：asp.net

I have path Manipulation problem. The following code is placed in Page_load method of ASPx page.

开发者_如何转开发String rName = Request.QueryString["reportName"];
string path = "C:\\hari" + rName;
if (File.Exists(path))
{
    File.Delete(path);
}

But Fortify scan report for the above sample code shows ‘Path Manipulation’ issue as high Need help to modify above code so that it can pass fortify scan

Jackson is right, this is a direct File Path Manipulation vulnerability that can be fixed through indirect selection. From your known directory, list all the files. Use the value coming from your own directory list, not the user-supplied value.

String rName = Request.QueryString["reportName"];
String knownPath = "C:\\hari";
DirectoryInfo di = new DirectoryInfo(knownPath);
FileInfo[] files = di.GetFiles(rName);

if (files.length > 0)
{
    files[0].Delete();
}

I think the problem is that someone could spoof a request with reportName = "..\\Windows\\Something important" which is clearly a security flaw. You need to change your code so that it doesn't read a partial filename from the request query string.