-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathTaintedPath.cs
More file actions
67 lines (56 loc) · 1.62 KB
/
TaintedPath.cs
File metadata and controls
67 lines (56 loc) · 1.62 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
using System;
using System.IO;
using System.Web;
public class TaintedPathHandler : IHttpHandler
{
public void ProcessRequest(HttpContext ctx)
{
String path = ctx.Request.QueryString["page"];
// BAD: Used via a File.Create... call.
using (StreamWriter sw = File.CreateText(path))
{
sw.WriteLine("Hello");
}
// BAD: Used via StreamWriter constructor
using (StreamWriter sw = new StreamWriter(path))
{
sw.WriteLine("Hello");
}
// BAD: Check is insufficient, text is read.
if (!path.StartsWith("../"))
{
File.ReadAllText(path);
}
// BAD: Check is insufficient, text is read.
if (!string.IsNullOrEmpty(path))
{
File.ReadAllText(path);
}
// BAD: Check is insufficient, text is read.
string badPath = "/home/user/" + path;
if (File.Exists(badPath))
{
ctx.Response.Write(File.ReadAllText(badPath));
}
// GOOD: Tainted path is passed through MapPath
string safePath = ctx.Request.MapPath(path, ctx.Request.ApplicationPath, false);
File.ReadAllText(safePath);
// GOOD: Check against explicit paths
if (path == "foo")
{
File.ReadAllText(path);
}
Directory.Exists(path);
// GOOD: A Guid.
File.ReadAllText(new Guid(path).ToString());
// GOOD: A simple type.
File.ReadAllText(int.Parse(path).ToString());
}
public bool IsReusable
{
get
{
return true;
}
}
}