我在VB.Net源代碼上運行了IBM AppScan工具。我在Path.Transal類別下的File.Copy方法中遇到了一個安全問題。VB.Net中的File.Copy方法中的IBM AppScan安全性PathTraversal問題
問題詳細信息 - 漏洞類型 - PathTraversal 此API接受目錄,文件名或二者兼有。如果用戶提供的數據用於創建文件路徑,則可以操作路徑以指向不應允許訪問的目錄和文件,或者可能包含惡意數據或代碼的文件。
我該如何解決這個問題?
Imports System.Web.Security.AntiXss
Private Function ProcessFile() As Boolean
Dim drive As String = String.Empty
Dim folder As String = String.Empty
Dim filename As String = String.Empty
Dim sourcePath As String = String.Empty
Dim destinationPath As String = String.Empty
drive = AntiXssEncoder.XmlEncode(String.Format("{0}", System.Configuration.ConfigurationManager.AppSettings("Drive").ToString()))
folder = AntiXssEncoder.XmlEncode(String.Format("{0}", System.Configuration.ConfigurationManager.AppSettings("Folder").ToString()))
filename = AntiXssEncoder.XmlEncode(String.Format("{0}", System.Configuration.ConfigurationManager.AppSettings("File").ToString()))
sourcePath = Path.Combine(drive, folder, filename)
destinationPath = Path.Combine(drive, folder, "text2.txt")
Try
If sourcePath.IndexOfAny(Path.GetInvalidPathChars()) = -1 AndAlso destinationPath.IndexOfAny(Path.GetInvalidPathChars()) = -1 Then
File.Copy(sourcePath, destinationPath, True)
Return True
Else
Return False
End If
Catch ex As Exception
Return False
End Try
End Function