tags:

views:

321

answers:

1
+1  Q: 

CAT.NET "Sanitize the file path prior to passing it to file system routines" message

Hi. I'm analyzing my code (C#, desktop application) with CAT.NET Code Analysis and getting "Sanitize the file path prior to passing it to file system routines" message when dealing with file names. What I don't understand is that to ensure the file name is valid, I use:

void SomeMethod(String filename)
{
    filename = System.IO.Path.GetFullPath(filename);
    // ... Do stuff
}

Isn't it a "magic solution" to solve problems with invalid file names ? I've read something similar here (first answer), but in my case I'm dealing only with local files, well, something very basic, so...

So why I'm getting this message and how to do to avoid getting it?

A: 

If the filename comes from a user, it could be something like "../../../../etc/passwd" - the error message is telling you that you need to sanitize it so that it can't get to directories it's not supposed to.

Annie  2009-12-31 07:50:09
That's exactly why I use Path.GetFullPath, which will transform a path like "C:\SomeStuff\ChildDirectory\..\..\FileHere.txt" to "C:\FileHere.txt".
MainMa  2009-12-31 07:53:28
And that is a huge security risk if the user entered the path--they could possibly access/overwrite files in directories they shouldn't be allowed to touch. In your example, you're assuming the file will be in "C:\SomeStuff\ChildDirectory", but really they're accessing a file in "C:\".
Annie  2009-12-31 08:04:19
I really don't understand.Path.GetFullPath("C:\SomeStuff\ChildDirectory\..\..\FileHere.txt") gives "C:\FileHere.txt". So by calling GetFullPath() at the beginning of each method (when need) and using its result, I'm safe. Or not?
MainMa  2009-12-31 11:20:16
If you just call GetFullPath with a user-supplied filename, you allow the user to access *any* path on the machine, not just the paths they are supposed to access. For example, lets say your app allows users to upload images, and stores them to c:\MyApp\Images, with the name the user specifies. They specify the name "..\..\Windows\explorer.exe" and overwrite C:\Windows\explorer.exe with a trojan. So you need to sanitize out things like "..\" instead of just accepting them into GetFullPath().
Annie  2010-01-01 22:38:20

related questions

Ajax and filenames - Best practices
Extracting extension from filename in Python
Uses for this bash filename extraction technique?
Windows Codepage Interactions with Standard C/C++ filenames?
C# Filepath Recasing
How to achieve dynamic page file names in ASP.NET?
In Batch: Read only the filename from a variable with path and filename
Howto get filename from which class was included in PHP
Java sort String array of file names by their extension
user defined Parameter used as part of a filename in Access
What are the rules for file extensions in Windows and Unix?
On Windows, when should you use the "\\\\?\\" filename prefix?
Turn a string into a valid filename in Python
Maximum Filename Length in NTFS (XP and Vista)?
Batch file script to remove special characters from filenames (Windows)
Encode URLs into safe filename string
How to rename with prefix/suffix ?
Any caveats to generating unique filenames for random images by running MD5 over the image contents?
Is this the best way to get unique version of filename w/ Python?
How can I write a shell script to direct grep data into a date-based filename?
What's the (JavaScript) Regular Expression I should use to ensure a string is a valid file name?
Is it the filename or the whole URL used as a key in browser caches?
Batch renaming of files with international chars on Windows XP
How to get file extension from string in C++
Replacing one string in a bunch of file names with another