file.writealltext path traversal vulnerability as per fortify scan ..error CWE 022

Devildib
Devildib used Ask the Experts™
on
hello experts,

in my code that got fortify scanned, there was a line file.writealltext(pathparam, strdata)...where pathparam is a combination of filename and current directory set somewhere above in the code. This line came under scanner advising to correct the break. I tried using a small method to validate the pathparam value by wrapping the pathparam value inside getfullpath method and if correctly returned used the same in file writealltext.Stilk the vulnerability exists. Kindly advise best way to fix this, if possible by a sample code. Many Thanks.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Directory Traversal or Path Traversal is an HTTP exploit that allows an attacker to access restricted files, directories and commands that reside outside the web server’s root directory. It is also known as the ../ (dot dot slash) attack, directory climbing, and backtracking.

These kind of attacks are commonly performed using web browsers.

pathparam variable contains "..\ ..\ ..\test" . thus pathparam variable is something like "..\ ..\ test_DATA_DATA.pdf" . When you try to create that file with writealltext(pathparam) function. That may lead to create this file at out out directory.

For mitigate you can replace backslash with empty too ( ..%2f..%2f is encoded form of ..\ ..\ ! please, consider this too ) . Fortify can mark this codes as a vulnerable again but this time it will be false positive.

Hope this helps

Author

Commented:
can you please provide a smaple..say two liner tonshow how encoding would hapoen and how to use the encoded value in place of the pathparam?

Author

Commented:
also to mention...its a c# windows application that i am working upon
You can try doing this:

Just before the: file.writealltext(pathparam, strdata)

Do this: --->>>pathparam = pathparam.Replace("..\\ ", "..%2f")

Your lines at the end should read:

pathparam = pathparam.Replace("..\\ ", "..%2f");
file.writealltext(pathparam, strdata)

Hope this helps

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial