Ibm appscan security pathtraversal issue in file.copy method in VB.NET

Question

0.00/5 (No votes)

See more:

I ran IBM AppScan tool on a VB.Net source.I am getting one security issue in File.Copy method under Path Traversal category.
Issue Detail -
Vulnerability Type
PathTraversal
This API accepts a directory, a filename, or both. If user supplied data is used to create the file path, the path can be manipulated to point to directories and files which should not be allowed access or which may contain malicious data or code.

How can i fix this issue?

Imports System.Web.Security.AntiXss
Private Function ProcessFile() As Boolean
    Dim drive As String = String.Empty
    Dim folder As String = String.Empty
    Dim filename As String = String.Empty
    Dim sourcePath As String = String.Empty
    Dim destinationPath As String = String.Empty
    drive = AntiXssEncoder.XmlEncode(String.Format("{0}", System.Configuration.ConfigurationManager.AppSettings("Drive").ToString()))
    folder = AntiXssEncoder.XmlEncode(String.Format("{0}", System.Configuration.ConfigurationManager.AppSettings("Folder").ToString()))
    filename = AntiXssEncoder.XmlEncode(String.Format("{0}", System.Configuration.ConfigurationManager.AppSettings("File").ToString()))

    sourcePath = Path.Combine(drive, folder, filename)
    destinationPath = Path.Combine(drive, folder, "text2.txt")

    Try
        If sourcePath.IndexOfAny(Path.GetInvalidPathChars()) = -1 AndAlso destinationPath.IndexOfAny(Path.GetInvalidPathChars()) = -1 Then
            File.Copy(sourcePath, destinationPath, True)
            Return True
        Else
            Return False
        End If

    Catch ex As Exception
        Return False
    End Try
End Function

What I have tried:

We have tried below approaches to fix this issue but it is not working-

1) Path.Combine() Method - Used Combine method to combine values we get from configuration file instead of using & for string concatenation.
2) Used DirectoryInfo and FileInfo Classes and GetFullPath Method
3) Declaration Readonly Variables - Created readonly variable and assign file path.
4) Validated the filename using Path.GetInvalidFileNameChars() before Passing - Used this method to validate file name.
5) Validated the filename using Regular Expression - Used regular expression to validate file path before passing it to File.Copy or CreateDirectory function.

Posted 18-Sep-16 23:38pm

Deepak A Rajput

Updated 19-Sep-16 19:18pm

v2

Add a Solution

Comments

F-ES Sitecore 19-Sep-16 6:10am

It depends what exact issue it has with File.Copy. Saying it has an issue but not explaining exactly what the issue is is just fighting blind.

Dave Kreskowiak 19-Sep-16 8:38am

Without knowing what the ApPScan tool is looking at and what causes that message to trip, you're fumbling around in the dark. You have to find out what it's looking at.

Honestly, IMHO, people spend way too much time trying to make a tool happy instead of understanding the tool and whether or not it should even apply to a particular situation.

Deepak A Rajput 20-Sep-16 3:19am

IBM Appscan tool is used to identify vulnerabilities present in the application. When i scan our application it is showing security issue in File.Copy(source,destination) method under Path Traversal issue type and Classification as Scan Coverage . It is considering method parameters as untrusted user inputs. Whereas i am fetching this values from configuration file.

Dave Kreskowiak 20-Sep-16 7:37am

I know what the tool does. It's the RULE it's complaining about you have to know. Again, the question becomes is this acceptable in your situation? That's a quesiton only YOU can answer.

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Mehdi Gholam · Answer 1 · 2016-09-19T18:10:00

Solution 1

Generally a file copy operation can be a security risk if the destination is a system file or a file not in the same directory as the app (given the process has permissions etc.)

Posted 19-Sep-16 18:10pm

Mehdi Gholam

Patrice T · Answer 2 · 2016-09-19T19:18:00

I am not a specialist on this, but your code look complicated and overkill.

VB

drive = AntiXssEncoder.XmlEncode(String.Format("{0}", System.Configuration.ConfigurationManager.AppSettings("Drive").ToString()))

As I understand it:

VB

System.Configuration.ConfigurationManager.AppSettings("Drive")

is a string, than you convert to string:

VB

System.Configuration.ConfigurationManager.AppSettings("Drive").ToString()

Then you format it as an identical string:

VB

String.Format("{0}", System.Configuration.ConfigurationManager.AppSettings("Drive").ToString())

Your code should simplify as:

VB

drive = AntiXssEncoder.XmlEncode(System.Configuration.ConfigurationManager.AppSettings("Drive"))

and same for folder and file.
I am not even sure you need to encode the string.

For your vulnerability, read carefully the message !
It is a vulnerability if it is a user input, which is not your case.