0

my code essentially takes a file uploaded to the server using a front end, by referring to the the $_FILES variable in php, and moves it to a new file on the server . Following snippet summarizes the code,

$acutal_file = $_FILES['file_uploaded']['tmp_name'];
move_uploaded_file($actual_file, $target_file);

Here, I get the target_file variable from the database.

So, when I perform the code scan it creates a high vulnerability for this snippet with error type "File Manipulation", highlights the $_FILES variable above and gives the message "The input obtained in the file is used to determine the location of the file to be written into, potentially allowing an attacker to alter or corrupt the contents of that file, or create a new file altogether."

Does anyone know how to avoid the error ?

Thanks in advance.

Anand Shivalkar
  • 15
  • 1
  • 7

2 Answers2

1

I suggest you to read and apply all the rules defined in OWASP Cheat Sheet about File upload. this is the best rules to have

SPoint
  • 582
  • 2
  • 10
0

Some ways to mitigate Path Transversal and file manipulation are:

  1. Validating the user’s input. Accept only valid values (whitelist).
  2. Remove “..\” and “../” from any input that’s used in a file context.
  3. Use indexes instead of actual portions of file names while using language files. (i.e – value 5 from the user submission = Indian, rather than expecting the user to return “Indian”).
  4. Implement strict code access policies to restrict where files can be saved to.
  5. Ensure the user cannot supply any part of the path to the file read or written to.

This information was found at https://www.checkmarx.com/knowledge/knowledgebase/path-traversal. If you are already using Checkmarx software, it may give you a lot of false positives, but don't always assume that. I hope this helped. If you have any other questions let me know.

Revvz
  • 455
  • 1
  • 6
  • 14