User input should not allow path injection or path transversal attacks

Rule description

  • Data entered by users such as URL parameters or cookies should be considered suspicious. If your code dynamically generates a file system path from this data, a hacker could inject specific values such as '../' and change the originally intended path.
  • These attacks are often called "path traversal" or "directory traversal". They allow the attacker to access forbidden directories to read, modify or delete sensitive data or execute operating system commands.
  • Visual Expert will identify the code introducing such vulnerabilities to let you sanitize it.
  • A possible defense strategy consists in defining a whitelist of authorized paths or characters.


Non-compliant Code Example

global function string testDelete (string docname)
boolean lb_exist
string ls_docname
ve_filehelper_utils helper

lb_exist = FileExists(docname)

FileDelete(docname) //Non compliant code


Return docname
end function
Visual Expert 2020