14 lines
1.2 KiB
Plaintext
14 lines
1.2 KiB
Plaintext
== Ask Yourself Whether
|
|
|
|
* the file or directory path you are using is coming from a user input or could have been tampered with.
|
|
* the code exposes to an unauthorized person the existence of a file or directory. Any hint given to a user might be dangerous. The information could be given by displaying an error if the file/directory does not exist or just by returning an "Unauthorized" error when the file/directory exists but the person can't perform an action.
|
|
* the code exposes to an unauthorized person the paths of files and/or directories, for example by listing the content of a directory and displaying the output.
|
|
* a file or directory may be created with the wrong permissions.
|
|
* an unvalidated user input is written into a file.
|
|
* a file is read and its content is used without being validated.
|
|
* a file is read and its content is exposed to an unauthorized person.
|
|
* a file is open, created or written into each time a user performs an action.
|
|
* files are open and not closed before executing a child process. This is only dangerous if file descriptors are inherited in your programming language (example: C, {cpp}).
|
|
|
|
You are at risk if you answered yes to any of those questions.
|