2742dcd14d
* Add csharp to rule S6549 * Add RSPEC for S6549 for C# * Update rules/S6549/csharp/how-to-fix-it/asp.net.adoc Co-authored-by: Hendrik Buchwald <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> * Update rules/S6549/csharp/how-to-fix-it/asp.net.adoc Co-authored-by: Hendrik Buchwald <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> * Update rules/S6549/csharp/how-to-fix-it/asp.net.adoc Co-authored-by: Hendrik Buchwald <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> * Correct function name --------- Co-authored-by: daniel-teuchert-sonarsource <daniel-teuchert-sonarsource@users.noreply.github.com> Co-authored-by: Daniel Teuchert <daniel.teuchert@sonarsource.com> Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com> Co-authored-by: Hendrik Buchwald <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com>
99 lines
2.6 KiB
Plaintext
99 lines
2.6 KiB
Plaintext
== How to fix it in ASP.NET
|
|
|
|
=== Code examples
|
|
|
|
include::../../common/fix/code-rationale.adoc[]
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,csharp,diff-id=2,diff-type=noncompliant]
|
|
----
|
|
using Microsoft.AspNetCore.Mvc;
|
|
|
|
[ApiController]
|
|
[Route("Example")]
|
|
public class ExampleController : ControllerBase
|
|
{
|
|
private const string TargetDirectory = "/path/to/target/directory";
|
|
|
|
public IActionResult FileExists()
|
|
{
|
|
string file = Request.Query["file"];
|
|
string path = TargetDirectory + file;
|
|
if (!System.IO.File.Exists(path)) { // Noncompliant
|
|
return NotFound("File not found");
|
|
}
|
|
return Ok("File found");
|
|
}
|
|
}
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
[source,csharp,diff-id=2,diff-type=compliant]
|
|
----
|
|
using Microsoft.AspNetCore.Mvc;
|
|
|
|
[ApiController]
|
|
[Route("Example")]
|
|
public class ExampleController : ControllerBase
|
|
{
|
|
private const string TargetDirectory = "/path/to/target/directory";
|
|
|
|
public IActionResult FileExists()
|
|
{
|
|
string file = Request.Query["file"];
|
|
string canonicalPath = Path.GetFullPath(TargetDirectory + file);
|
|
if (!canonicalPath.StartsWith(TargetDirectory)) {
|
|
return NotFound("Entry is outside of the target directory");
|
|
} else if (!System.IO.File.Exists(canonicalPath)) {
|
|
return NotFound("File not found");
|
|
}
|
|
return Ok("File found");
|
|
}
|
|
}
|
|
----
|
|
|
|
=== How does this work?
|
|
|
|
:canonicalization_function: Path.GetFullPath
|
|
|
|
include::../../common/fix/canonical-path-validation.adoc[]
|
|
|
|
=== Pitfalls
|
|
|
|
include::../../common/pitfalls/partial-path-traversal.adoc[]
|
|
|
|
For example, the following code is vulnerable to partial path injection. Note
|
|
that the string `targetDirectory` does not end with a path separator:
|
|
|
|
|
|
[source, csharp]
|
|
----
|
|
using Microsoft.AspNetCore.Mvc;
|
|
|
|
[ApiController]
|
|
[Route("Example")]
|
|
public class ExampleController : ControllerBase
|
|
{
|
|
private const string TargetDirectory = "/Users/John";
|
|
|
|
public IActionResult FileExists()
|
|
{
|
|
string file = Request.Query["file"];
|
|
string canonicalPath = Path.GetFullPath(TargetDirectory + file);
|
|
if (!canonicalPath.StartsWith(TargetDirectory)) {
|
|
return NotFound("Entry is outside of the target directory");
|
|
} else if (!System.IO.File.Exists(canonicalPath)) {
|
|
return NotFound("File not found");
|
|
}
|
|
return Ok();
|
|
}
|
|
}
|
|
----
|
|
|
|
This check can be bypassed if other directories start with `John`. For instance, `"/Users/Johnny".StartsWith("/Users/John")`
|
|
returns `true`. Thus, for validation, `"/Users/John"` should actually be
|
|
`"/Users/John/"`.
|
|
|