Avoid path traversal

This product is not supported for your selected Datadog site. ().
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Metadata

ID: csharp-security/path-traversal

Language: C#

Severity: Error

Category: Security

CWE: 22

Description

The rule “Avoid path traversal” is crucial to prevent unauthorized file access and potential data breaches in your application. Path traversal vulnerabilities occur when an attacker is able to manipulate a file path used in an operation, typically with ‘..’ sequences, to access files outside of the intended directory. This can lead to sensitive data exposure, unauthorized data modification or even code execution in some cases.

It is important because an attacker could potentially read, write, or delete sensitive files on the server, leading to a serious breach of data security. The severity of a path traversal attack can vary from information disclosure to complete system compromise depending on the system privileges of the application being attacked.

How to remediate

Never use user input to form a file path, always use constant or server-generated values. If user input must be used in file paths, it should be properly sanitized to remove any ‘..’ sequences or similar path navigation constructs. Also, using a whitelist of acceptable inputs is a strong defensive option. Always adhere to the principle of least privilege when setting access permissions for files and directories.

Non-Compliant Code Examples

using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Http;
using System.IO;
using System.Web;
using System.Text;

namespace Controllers
{
    public class VulnerableController : Controller
    {
        private readonly string _rootPath;

        public VulnerableController(string rootPath)
        {
            _rootPath = rootPath;
        }

        [HttpPost("/path-test")]
        public IActionResult Post()
        {
            // Get parameter from cookies
            string param = "defaultValue";
            if (Request.Cookies != null)
            {
                foreach (var cookie in Request.Cookies)
                {
                    if (cookie.Key.Equals("TestCookie"))
                    {
                        param = HttpUtility.UrlDecode(cookie.Value, Encoding.UTF8);
                        break;
                    }
                }
            }

            // Vulnerable: User input directly in Path.Combine
            string fileName = Path.Combine(_rootPath, "files", param);
            
            // Use the unsafe value
            FileStream fs = null;
            try
            {
                fs = new FileStream(fileName, FileMode.Open);
                // Read file...
            }
            catch (Exception e)
            {
                // Handle error...
            }
            finally
            {
                fs?.Close();
            }

            return Ok();
        }
    }
}

Compliant Code Examples

using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Http;
using System.IO;
using System.Web;
using System.Text;

namespace Controllers
{
    public class SafeController : Controller
    {
        [HttpPost("/path-test")]
        public IActionResult Post()
        {
            // Get parameter from cookies
            string param = "defaultValue";
            if (Request.Cookies != null)
            {
                foreach (var cookie in Request.Cookies)
                {
                    if (cookie.Key.Equals("TestCookie"))
                    {
                        param = HttpUtility.UrlDecode(cookie.Value, Encoding.UTF8);
                        break;
                    }
                }
            }

            // Safe: Uses ternary that always evaluates to a constant
            string filePath = (7 * 18) + 106 > 200 ? "safe_constant_filename" : param;

            // Use the safe value
            FileStream fs = null;
            try
            {
                string fullPath = Constants.FILES_DIR + filePath;
                fs = new FileStream(fullPath, FileMode.Open);
                // Read file...
            }
            catch (Exception e)
            {
                // Handle error...
            }
            finally
            {
                fs?.Close();
            }

            return Ok();
        }
    }

    public static class Constants
    {
        public static string FILES_DIR = "files/";
    }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

シームレスな統合。 Datadog Code Security をお試しください

Datadog Code Security