rspec/rules/S6549/rationale.adoc

Applications behave as filesystem oracles when they disclose to attackers if resources from the filesystem exist or not.

A user with malicious intent would inject specially crafted values, such as ``++../++``, to change the initially intended path. The resulting path would resolve to a location somewhere in the filesystem which the user should not normally have access to.
Create rule S6549: Accessing files should not lead to filesystem oracle attacks (#4156) * Add csharp to rule S6549 * Add RSPEC for S6549 for C# * Update rules/S6549/csharp/how-to-fix-it/asp.net.adoc Co-authored-by: Hendrik Buchwald <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> * Update rules/S6549/csharp/how-to-fix-it/asp.net.adoc Co-authored-by: Hendrik Buchwald <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> * Update rules/S6549/csharp/how-to-fix-it/asp.net.adoc Co-authored-by: Hendrik Buchwald <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> * Correct function name --------- Co-authored-by: daniel-teuchert-sonarsource <daniel-teuchert-sonarsource@users.noreply.github.com> Co-authored-by: Daniel Teuchert <daniel.teuchert@sonarsource.com> Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com> Co-authored-by: Hendrik Buchwald <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> 2024-08-20 17:57:41 +02:00			`Applications behave as filesystem oracles when they disclose to attackers if resources from the filesystem exist or not.`

			A user with malicious intent would inject specially crafted values, such as ``++../++``, to change the initially intended path. The resulting path would resolve to a location somewhere in the filesystem which the user should not normally have access to.