89 lines
2.5 KiB
Plaintext
89 lines
2.5 KiB
Plaintext
=== How to fix it in .NET
|
|
|
|
:canonicalization_function1: System.IO.Path.GetFullPath
|
|
:canonicalization_function2: System.IO.Path.GetFileName
|
|
|
|
include::../../common/fix/code-rationale.adoc[]
|
|
|
|
[cols="a"]
|
|
|===
|
|
h| Non-compliant code example
|
|
|
|
|
[source,csharp]
|
|
----
|
|
public class ExampleController : Controller
|
|
{
|
|
private static string TargetDirectory = "/example/directory/";
|
|
|
|
public void ExtractEntry(IEnumerator<ZipArchiveEntry> entriesEnumerator)
|
|
{
|
|
ZipArchiveEntry entry = entriesEnumerator.Current;
|
|
string destinationPath = Path.Combine(TargetDirectory, entry.FullName);
|
|
|
|
entry.ExtractToFile(destinationPath); // Noncompliant
|
|
}
|
|
}
|
|
----
|
|
h| Compliant solution
|
|
|
|
|
[source,csharp]
|
|
----
|
|
public class ExampleController : Controller
|
|
{
|
|
private static string TargetDirectory = "/example/directory/";
|
|
|
|
public void ExtractEntry(IEnumerator<ZipArchiveEntry> entriesEnumerator)
|
|
{
|
|
ZipArchiveEntry entry = entriesEnumerator.Current;
|
|
string destinationPath = Path.Combine(TargetDirectory, entry.FullName);
|
|
string canonicalDestinationPath = Path.GetFullPath(destinationPath);
|
|
|
|
if (canonicalDestinationPath.StartsWith(TargetDirectory, StringComparison.Ordinal))
|
|
{
|
|
entry.ExtractToFile(canonicalDestinationPath);
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|===
|
|
|
|
=== How does this work?
|
|
|
|
include::../../common/fix/how-does-this-work.adoc[]
|
|
|
|
=== Pitfalls
|
|
|
|
include::../../common/pitfalls/partial-path-traversal.adoc[]
|
|
|
|
For example, the following code is vulnerable to partial path injection. Note
|
|
that the string `TargetDirectory` does not end with a path separator:
|
|
|
|
|
|
[source, csharp]
|
|
----
|
|
static private String TargetDirectory = "/Users/John";
|
|
|
|
public void ExtractEntry(IEnumerator<ZipArchiveEntry> entriesEnumerator)
|
|
{
|
|
ZipArchiveEntry entry = entriesEnumerator.Current;
|
|
string canonicalDestinationPath = Path.GetFullPath(TargetDirectory);
|
|
|
|
if (canonicalDestinationPath.StartsWith(TargetDirectory, StringComparison.Ordinal))
|
|
{
|
|
entry.ExtractToFile(canonicalDestinationPath);
|
|
}
|
|
}
|
|
----
|
|
|
|
This check can be bypassed because `"/Users/Johnny".startsWith("/Users/John")`
|
|
returns `true`. Thus, for validation, `"/Users/John"` should actually be
|
|
`"/Users/John/"`.
|
|
|
|
**Warning**: Some functions remove the terminating path separator in their
|
|
return value. +
|
|
The validation code should be tested to ensure that it cannot be impacted by this
|
|
issue.
|
|
|
|
https://github.com/aws/aws-sdk-java/security/advisories/GHSA-c28r-hw5m-5gv3[Here is a real-life example of this vulnerability.]
|
|
|