Fortify - Path Manipulation
Question
I am getting a fortify error in the below lines -
string path = "<hardcodedpath>";
var fileBytes = System.IO.File.ReadAllBytes(path + fileName);
return File(fileBytes, System.Web.MimeMapping.GetMimeMapping(fileName), fileName);
eg:- path = C:\\WorkSpace\\Project\\\\Files\\
I am making sure (whitelisting?) that the parameter fullPath is a fetched from a predefined folder alone (code for the same is not pasted here) and nobody will be able to acess any other files other than the ones in the predefined folder.
Yet, Fortify doesn't mark these issues as resolved. How can I get this resolved by Fortify? Is there anything else that needs to be taken care of?
Error Message - Attackers can control the filesystem path argument to ReadAllBytes() at .cs line 446, which allows them to access or modify otherwise protected files.
1 answers
solution1
2 ACCPTED 2015-03-05 20:09:38
I can't make a comment because of the silly reputation rules, so I'll put this in an answer. You've shown where "path" comes from, but you don't mention where "fileName" comes from. If the value of that variable is coming from an untrusted source, then that is the cause of this issue. You'll want to whitelist that variable so that an attacker can change the path. Once you know your whitelist is good, you can suppress the issue. The whitelist alone won't stop Fortify from finding the issue again because it can't tell when you're whitelist is sufficient.
You can also try posting Fortify issues to their online forum at https://protect724.hp.com . The support group monitors those forums.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.