Home
User input should not allow path injection or path transversal attacks
Rule description
- Data entered by users such as URL parameters or cookies should be considered suspicious. If your code dynamically generates a file system path from this data, a hacker could inject specific values such as '../' and change the originally intended path.
- These attacks are often called "path traversal" or "directory traversal". They allow the attacker to access forbidden directories to read, modify or delete sensitive data or execute operating system commands.
- Visual Expert will identify the code introducing such vulnerabilities to let you sanitize it.
- A possible defense strategy consists in defining a whitelist of authorized paths or characters.
Non-compliant Code Example
global function string testDelete (string docname)
boolean lb_exist
string ls_docname
ve_filehelper_utils helper
lb_exist = FileExists(docname)
FileDelete(docname) //Non compliant code
helper.FileDelete(docname)
Return docname
end function