ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Modify rule S2083[C#]: Educational content (APPSEC-49) (#1121)

Browse Source
This commit is contained in:
Pierre-Loup 2022-07-27 14:34:13 +02:00 committed by Christophe Zürn
parent 9d944403b4
commit dbca6ec12c
6 changed files with 61 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/allowed_framework_names.adoc
View File

@ -1,11 +1,13 @@
// C#
* ASP.NET
* Razor
* .NET
// Java
* JSP
* Servlet
* Spring
* Thymeleaf
* Java SE
// JS
* Express.js
// PHP

1
rules/S2083/common/fix/code-rationale.adoc Normal file
View File

@ -0,0 +1 @@
The following code is vulnerable to path injection as it is constructing a path using untrusted data. This path is then used to delete a file without being validated first. Therefore, it can be leveraged by an attacker to delete arbitrary files.

6
rules/S2083/common/fix/how-does-this-work.adoc Normal file
View File

@ -0,0 +1,6 @@
The universal way to prevent path injection is to validate paths constructed from untrusted data.
The validation should be done as follow:
1. Resolve the canonical path of the file by using methods like `{canonicalization_function}`. This will resolve relative path or path components like `../` and removes any ambiguity regarding the file's location.
2. Check that the canonical path is within the directory where the file should be located.

47
rules/S2083/csharp/how-to-fix-it/dotnet.adoc Normal file
View File

@ -0,0 +1,47 @@
=== How to fix it in .NET
:canonicalization_function: System.IO.Path.GetFullPath
include::../../common/fix/code-rationale.adoc[]
[cols="a"]
|===
h| Non-compliant code example
|
[source,csharp]
----
public class ExampleController : Controller
{
private static string TargetDirectory;
public void Example(string filename)
{
string path = Path.Combine(TargetDirectory, filename);
System.IO.File.Delete(path); // Noncompliant
}
}
----
h| Compliant solution
|
[source,csharp]
----
public class ExampleController : Controller
{
private static string TargetDirectory;
public void Example(string filename)
{
string path = Path.Combine(TargetDirectory, filename);
string canonicalDestinationPath = Path.GetFullPath(path);
if (canonicalDestinationPath.StartsWith(TargetDirectory, StringComparison.Ordinal))
{
System.IO.File.Delete(canonicalDestinationPath);
}
}
}
----
|===
=== How does this work?
include::../../common/fix/how-does-this-work.adoc[]

2
rules/S2083/csharp/rule.adoc
View File

@ -6,6 +6,8 @@ include::../impact.adoc[]
== How to fix it?
include::how-to-fix-it/dotnet.adoc[]
== Resources
include::../common/resources/standards.adoc[]

10
rules/S2083/java/how-to-fix-it/java-se.adoc
View File

@ -1,6 +1,7 @@
=== How to fix it in Java SE
The following code is vulnerable to path injection as it is constructing a path using untrusted data. This path is then used to delete a file without being validated first. Therefore, it can be leveraged by an attacker to delete arbitrary files.
:canonicalization_function: java.io.File.getCanonicalPath
include::../../common/fix/code-rationale.adoc[]
[cols="a"]
|===
@ -48,9 +49,4 @@ public class ApiController
=== How does this work?
The universal way to prevent path injection is to validate paths constructed from untrusted data.
The validation should be done as follow:
1. Resolve the canonical path of the file by using methods like java.io.File/getCanonicalPath. This will resolve relative path or path components like `../` and removes any ambiguity regarding the file's location.
2. Check that the canonical path is within the directory where the file should be located.
include::../../common/fix/how-does-this-work.adoc[]