我在VB.Net源代码上运行了IBM AppScan工具。我在Path.Transal类别下的File.Copy方法中遇到了一个安全问题。VB.Net中的File.Copy方法中的IBM AppScan安全性PathTraversal问题
问题详细信息 - 漏洞类型 - PathTraversal 此API接受目录,文件名或二者兼有。如果用户提供的数据用于创建文件路径,则可以操作路径以指向不应允许访问的目录和文件,或者可能包含恶意数据或代码的文件。
我该如何解决这个问题?
Imports System.Web.Security.AntiXss
Private Function ProcessFile() As Boolean
Dim drive As String = String.Empty
Dim folder As String = String.Empty
Dim filename As String = String.Empty
Dim sourcePath As String = String.Empty
Dim destinationPath As String = String.Empty
drive = AntiXssEncoder.XmlEncode(String.Format("{0}", System.Configuration.ConfigurationManager.AppSettings("Drive").ToString()))
folder = AntiXssEncoder.XmlEncode(String.Format("{0}", System.Configuration.ConfigurationManager.AppSettings("Folder").ToString()))
filename = AntiXssEncoder.XmlEncode(String.Format("{0}", System.Configuration.ConfigurationManager.AppSettings("File").ToString()))
sourcePath = Path.Combine(drive, folder, filename)
destinationPath = Path.Combine(drive, folder, "text2.txt")
Try
If sourcePath.IndexOfAny(Path.GetInvalidPathChars()) = -1 AndAlso destinationPath.IndexOfAny(Path.GetInvalidPathChars()) = -1 Then
File.Copy(sourcePath, destinationPath, True)
Return True
Else
Return False
End If
Catch ex As Exception
Return False
End Try
End Function