C Sharp Unsafe Path Traversal
Description
Detects unsafe path traversal vulnerabilities in C# code where file system operations accept user-controlled input. This creates a security risk where malicious users could manipulate paths to access unauthorized files or directories outside the intended scope, potentially leading to information disclosure or file system manipulation.
Detection Strategy
• Identifies calls to critical File operations including File.Copy, File.Create, File.Delete, File.Exists, File.Move, File.Open, and File.Replace
• Checks if any arguments to these file operations contain values from user input sources (e.g. request parameters, user connections)
• Reports a vulnerability when file operations are called with path arguments that can be controlled by user input without proper validation
Vulnerable code example
using System;
using System.IO;
public class PathTraversalExample
{
public void ProcessFile(string userInput)
{
string baseDir = "path/";...✅ Secure code example
using System;
using System.IO;
public class PathTraversalExample
{
private static readonly string[] ALLOWED_FILES = { "file1.txt", "file2.txt", "file3.txt" }; // Whitelist of allowed files
public void ProcessFile(string userInput)...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.