如何解决从Fortify的扫描报告“路径操作”的问题为以下里边反code样品 [英] How to fix ‘Path Manipulation’ issue from Fortify scan report for tthe following code sample

问题描述

我有一个路径处理的问题。下面code被放置在aspx页面的Page_Load方法。

I have path Manipulation problem. The following code is placed in Page_load method of ASPx page.

String rName = Request.QueryString["reportName"];
string path = "C:\\hari" + rName;
if (File.Exists(path))
{
    File.Delete(path);
}

但对Fortify的上述样本code显示路径操作问题作为高扫描报告
需要帮助修改上述code，以便它可以通过扫描设防

But Fortify scan report for the above sample code shows ‘Path Manipulation’ issue as high Need help to modify above code so that it can pass fortify scan

推荐答案

杰克逊是正确的，这是一个直接的文件路径操作漏洞，可以通过间接的选择是固定的。
从已知的目录，列出所有的文件。使用从自己的目录列表中传来的值，而不是用户提供的值。

Jackson is right, this is a direct File Path Manipulation vulnerability that can be fixed through indirect selection. From your known directory, list all the files. Use the value coming from your own directory list, not the user-supplied value.

String rName = Request.QueryString["reportName"];
String knownPath = "C:\\hari";
DirectoryInfo di = new DirectoryInfo(knownPath);
FileInfo[] files = di.GetFiles(rName);

if (files.length > 0)
{
    files[0].Delete();
}

这篇关于如何解决从Fortify的扫描报告“路径操作”的问题为以下里边反code样品的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！