问题描述
我正在努力修复代码中的 Veracode 问题。我尝试了很多方法,但它仍然在我的代码中显示为一个漏洞。以下是导致问题的代码。
public static string SaveFile(this HttpPostedFile file,string filePath,string fileName = "")
{
if (filePath == null) throw new ArgumentNullException(nameof(filePath));
try
{
filePath.CreateDirectory();
if (string.IsNullOrEmpty(fileName))
fileName = $"{Path.GetFileNameWithoutExtension(file.FileName).Replace(" ","")}{DateTime.UtcNow:yyyyMMddHHmmssfff}{Path.GetExtension(file.FileName)}";
filePath = $"{filePath}/{fileName}";
var physicalPath = HttpContext.Current.Server.MapPath(filePath);
physicalPath.FilePathValidation();
var filepath = FileUtility.ValidateFilePath(physicalPath);
file.SaveAs(filepath);
//filePath = filePath.ServerUrl();
return filePath.Trimstart('~');
}
catch (Exception)
{
throw;
}
}
public static class FileUtility
{
[FilePathCleanser]
public static string ValidateFilePath(string file)
{
var regex = new System.Text.RegularExpressions.Regex(@"\.\.|\\|/",RegexOptions.IgnoreCase);
string filename = Path.GetFileName(file);
string fulldirectory = Path.GetDirectoryName(file);
var absolutePath = System.Web.Hosting.HostingEnvironment.MapPath("~");
var fileExtention = Path.GetExtension(file);
var extention = new string[] {".csv",".xlsx",".xls",".jpeg",".jpg",".png",".pdf",".bmp",".doc",".docx",".zip",".ppt","pptx",".text"};
if(!regex.IsMatch(filename) && fulldirectory.StartsWith(absolutePath) && extention.Contains(fileExtention.ToLower()))
{
return file;
}
throw new ValidationException("path/extension is not allowed ");
}
}
file.SaveAs(文件路径);导致问题。请让我知道如何修复它。
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)