C Sharp Untrusted Path File Open
Description
Detects path injection vulnerabilities in C# applications where untrusted input could be used in File.Open operations. This could allow attackers to access arbitrary files outside the intended directory, potentially leading to unauthorized file access or information disclosure.
Detection Strategy
• Identifies calls to File.Open methods including variations with different namespace qualifiers (System.IO.File.Open, IO.File.Open, File.Open)
• Checks if the file path parameter passed to these methods originates from untrusted sources like user input, HTTP requests, or external data
• Reports a vulnerability when File.Open is called with a path parameter that can be controlled by external users without proper sanitization
Vulnerable code example
using System;
using System.IO;
public class FileHandler
{
public void ReadUserFile(string userInput)
{
// Vulnerable: Direct use of user input in file path without validation...✅ Secure code example
using System;
using System.IO;
public class FileHandler
{
public void ReadUserFile(string userInput)
{
// Validate input is not null/empty...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.