1

I have an application in asp.net, which uses the Veracode scan for detecting any security flaws in the application. When scanning for one of my functions shows the following error "External Control of File Name or Path". Anyone know how to fix this error?

sample code:

if (!Directory.Exists(fullPath))
            Directory.CreateDirectory(fullPath);

I have tried validating the fullPath parameter for invalid characters, referred below url. But the issue still persists. Can anyone please help me in fixing this issue? Thanks.

http://www.howtoasp.net/asp-net-security-tutorials/how-to-control-path-composition-to-protect-asp-net-web-application-from-directory-traversal-vulnerability-in-c/

Anuja
  • 11
  • 1
  • 3

1 Answers1

0

It is mainly because of the filepath,filestream or stream writer. Make sure that you validate the path with your input. Veracode thinks that a hacker can add a path say windows/importantfile and would try to get access to that folder.

If you are not validating your path with input this flaw may come up with veracode.

Please see the link for more information. Veracode directory traversal Issue c#

John Kuriakose
  • 4,065
  • 2
  • 13
  • 20