Ibm apps在VB.NET中的file.copy方法中扫描安全路径遍历问题 [英] Ibm appscan security pathtraversal issue in file.copy method in VB.NET
问题描述
我在VB.Net源上运行IBM AppScan工具。我在Path Traversal类别下的File.Copy方法中遇到一个安全问题。
问题详情 -
漏洞类型
PathTraversal
此API接受目录,文件名或两者。如果用户提供的数据用于创建文件路径,则可以操纵路径以指向不允许访问或可能包含恶意数据或代码的目录和文件。
如何解决这个问题?
I ran IBM AppScan tool on a VB.Net source.I am getting one security issue in File.Copy method under Path Traversal category.
Issue Detail -
Vulnerability Type
PathTraversal
This API accepts a directory, a filename, or both. If user supplied data is used to create the file path, the path can be manipulated to point to directories and files which should not be allowed access or which may contain malicious data or code.
How can i fix this issue?
Imports System.Web.Security.AntiXss
Private Function ProcessFile() As Boolean
Dim drive As String = String.Empty
Dim folder As String = String.Empty
Dim filename As String = String.Empty
Dim sourcePath As String = String.Empty
Dim destinationPath As String = String.Empty
drive = AntiXssEncoder.XmlEncode(String.Format("{0}", System.Configuration.ConfigurationManager.AppSettings("Drive").ToString()))
folder = AntiXssEncoder.XmlEncode(String.Format("{0}", System.Configuration.ConfigurationManager.AppSettings("Folder").ToString()))
filename = AntiXssEncoder.XmlEncode(String.Format("{0}", System.Configuration.ConfigurationManager.AppSettings("File").ToString()))
sourcePath = Path.Combine(drive, folder, filename)
destinationPath = Path.Combine(drive, folder, "text2.txt")
Try
If sourcePath.IndexOfAny(Path.GetInvalidPathChars()) = -1 AndAlso destinationPath.IndexOfAny(Path.GetInvalidPathChars()) = -1 Then
File.Copy(sourcePath, destinationPath, True)
Return True
Else
Return False
End If
Catch ex As Exception
Return False
End Try
End Function
我尝试过:
我们尝试过以下方法来解决这个问题,但它不起作用 -
1)Path.Combine()方法 - 使用Combine方法组合我们从配置文件中获取的值而不是使用&用于字符串连接。
2)使用DirectoryInfo和FileInfo类和GetFullPath方法
3)声明只读变量 - 创建只读变量并分配文件路径。
4)在传递之前使用Path.GetInvalidFileNameChars()验证文件名 - 使用此方法验证文件名。
5)使用正则表达式验证文件名 - 使用正则表达式在传递之前验证文件路径它是File.Copy或CreateDirectory函数。
What I have tried:
We have tried below approaches to fix this issue but it is not working-
1) Path.Combine() Method - Used Combine method to combine values we get from configuration file instead of using & for string concatenation.
2) Used DirectoryInfo and FileInfo Classes and GetFullPath Method
3) Declaration Readonly Variables - Created readonly variable and assign file path.
4) Validated the filename using Path.GetInvalidFileNameChars() before Passing - Used this method to validate file name.
5) Validated the filename using Regular Expression - Used regular expression to validate file path before passing it to File.Copy or CreateDirectory function.
推荐答案
如果目标是系统文件,通常文件复制操作可能存在安全风险或者与应用程序不在同一目录中的文件(假定进程具有权限等)。
Generally a file copy operation can be a security risk if the destination is a system file or a file not in the same directory as the app (given the process has permissions etc.)
我不是这方面的专家,但是您的代码看起来很复杂且过度。>
I am not a specialist on this, but your code look complicated and overkill.
drive = AntiXssEncoder.XmlEncode(String.Format("{0}", System.Configuration.ConfigurationManager.AppSettings("Drive").ToString()))
据我所知:
As I understand it:
System.Configuration.ConfigurationManager.AppSettings("Drive")
是一个字符串,而不是转换为字符串:
is a string, than you convert to string:
System.Configuration.ConfigurationManager.AppSettings("Drive").ToString()
然后将其格式化为相同的字符串:
Then you format it as an identical string:
String.Format("{0}", System.Configuration.ConfigurationManager.AppSettings("Drive").ToString())
您的代码应简化为:
Your code should simplify as:
drive = AntiXssEncoder.XmlEncode(System.Configuration.ConfigurationManager.AppSettings("Drive"))
和文件夹
和文件
相同。
我甚至不确定你需要对字符串进行编码。
对于你的漏洞,请仔细阅读消息!
如果是用户输入,这是一个漏洞,而不是你的情况。
and same for folder
and file
.
I am not even sure you need to encode the string.
For your vulnerability, read carefully the message !
It is a vulnerability if it is a user input, which is not your case.
这篇关于Ibm apps在VB.NET中的file.copy方法中扫描安全路径遍历问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!