Details

    • Type: Language-Specification
    • Status: Active
    • Resolution: Unresolved
    • Labels:
      None
    • Impact:
      Unknown 'null' severity
    • Likelihood:
      Unknown 'null' severity

      Description

      Noncompliant Code Example

      using System.IO;
      using System.IO.Compression;
      
      public class ZipHelper
      {
          public void Extract(ZipFile zipFile, string destinationDirectory)
          {
              foreach (var entry in zipFile.Entries)
              {
                  var destinationFileName = Path.GetFullPath(Path.Combine(destinationDirectory, entry.FullName));
                  entry.ExtractToFile(destinationFileName); // entry.FullName could contain parent directory references (..) and make the
                                                            // file to be extracted in an arbitrary directory, outside of destinationDirectory
              }
          }
      }
      

      Compliant Solution

      using System.IO;
      using System.IO.Compression;
      
      public class ZipHelper
      {
          public void Extract(ZipFile zipFile, string destinationDirectory)
          {
              foreach (var entry in zipFile.Entries)
              {
                  var destinationFileName = Path.GetFullPath(Path.Combine(destinationDirectory, entry.FullName));
                  if (destinationFullName.StartsWith(destinationDirectory)) // Do not extract files if the destination file path will be outside of destinationDirectory
                  {
                      entry.ExtractToFile(destinationFileName); // Compliant, destinationFileName is ensured to be under destinationDirectory
                  }
              }
          }
      }

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              valeri.hristov Valeri Hristov (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: