Vulnerability
User input should not allow path injection or path transversal attacks
Description
This PowerBuilder code rule states that user input should not be allowed to inject or traverse paths, as this could allow attackers to gain access to unauthorized areas of the system. Path injection and path transversal attacks involve maliciously manipulating the system's file paths to gain access to areas of the system that the user is not authorized to access. To prevent this, user input should be validated and filtered to ensure that only legitimate paths are allowed. Additionally, it is important to ensure that the system is configured to prevent users from accessing areas of the system that they do not have permission to access.
Key Benefits
- Path injection prevention: This rule prevents malicious users from entering a path to a file or directory that they are not authorized to access.
- Path transversal prevention: This rule prevents malicious users from attempting to access files and directories that they are not authorized to access by using a relative path.
Non-compliant Code Example
global function string testDelete (string docname)
boolean lb_exist
string ls_docname
ve_filehelper_utils helper
lb_exist = FileExists(docname)
FileDelete(docname) //Non compliant code
helper.FileDelete(docname)
Return docname
end function