How to overcome path manipulation errors from HP fortify VB.NET code

Question

0.00/5 (No votes)

See more:

Hello all

i written code in vb.net

Public Function GetFileContentvalue(ByVal Path As String) As String

           Dim FileStream As New StreamReader(Path)<---
           Dim sFileText As String = String.Empty

           Try
               'Read file and load all its content to the string
               sFileText = FileStream.ReadToEnd()
               Return sFileText

           Catch ex As Exception
               message.show("File exception")
           Finally
               If FileStream IsNot Nothing Then
                   FileStream.Close()
               End If
           End Try

           Return sFileText
       End Function

'calling value

sconfigText = GetFileContent(sFilePath)

'********************************************************
when i scan my hole code HP fortify scanner showing path manipulation Error.where i pointed above.

please can some one guide me how to overcome from this problem from hp fortify scanner results.

thanks in advance.

What I have tried:

i tried modify code but i am unable to overcome from that path manipulation error

Posted 13-Feb-19 16:53pm

lakshjoshi

Updated 2-Sep-19 4:06am

v2

Add a Solution

Comments

Ralf Meier 14-Feb-19 6:21am

What is a "HP fortify scanner" ?
What value does 'Path' contain ?
What about the documentation of your ?Scanner? ...?

lakshjoshi 14-Feb-19 6:32am

i.About HP Foritfy SCA

Fortify Static Code Analyzer is a set of software security analyzers that search for violations of security specific coding rules and guidelines. The analyzers provides rich data that pinpoint and prioritize violations in software source code

2.path where text file is reading forex:D:\config.txt

3.Risky Resource Management - CWE ID 022
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). CWE-22 states: "The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory".
Fortify Category Folder Issues Audited Path Manipulation 37 0 Critical 9 0 High 9 0 Medium 9 0 Low 10 0

let me know your suggestion..thanks

Richard Deeming 14-Feb-19 9:11am

That would suggest that the code which calls your GetFileContentvalue function constructs the path based on values entered by the user, without properly validating those values. We can't tell you how to fix that code, because we can't see it.

Click "Improve question" and add the calling code to your question.

NB: You can simplify your function significantly by using File.ReadAllText[^]:

Public Function GetFileContentvalue(ByVal Path As String) As String
    Try
        Return File.ReadAllText(Path)
    Catch ex As Exception
        message.show("File exception")
        Return String.Empty
    End Try
End Function

Bryian Tan 14-Feb-19 23:21pm

where the Path from? User input? configuration file?

lakshjoshi 15-Feb-19 3:27am

configuration file.

when i used as above code suggested by Richard..its works fine.
now HP fortify not reporting path manipulation error.
thanks for help

lakshjoshi 14-Feb-19 23:13pm

Great...!
this solution works.....thank you very much.

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Member 14575213 · Answer 1 · 2019-09-02T04:06:00

i am using the same error with Fortify scan but i am using the different code .

public void FileUpload(byte[] fileToUpload, string fileName, string userId, string userName, string email)
{
string folder = ConfigurationManager.AppSettings.Get("IbaagDirectoryPath");
if (System.IO.Path.IsPathRooted(fileName))
{
throw new ArgumentNullException("error");
}
string filePath = System.IO.Path.Combine(folder, fileName);
System.IO.MemoryStream ms = new System.IO.MemoryStream(fileToUpload);
try
{
using (System.IO.FileStream fs = System.IO.File.Create(filePath))
{
//Save the file from the input stream.
using (System.IO.Stream stream = ms)
{
byte[] buffer = new byte[4096];

int bytesRead;

while ((bytesRead = stream.Read(buffer, 0, buffer.Length)) != 0)
{
fs.Write(buffer, 0, bytesRead);
}

stream.Flush();
//stream.Close();
}

}
}
finally
{
if (ms != null)
ms = null;

}

i am getting Path Manupulation issue at the line where following code is written please suggest solution .
string filePath = System.IO.Path.Combine(folder, fileName);