Home

Description

This PowerBuilder code rule states that user input should not be allowed to inject or traverse paths, as this could allow attackers to gain access to unauthorized areas of the system. Path injection and path transversal attacks involve maliciously manipulating the system's file paths to gain access to areas of the system that the user is not authorized to access. To prevent this, user input should be validated and filtered to ensure that only legitimate paths are allowed. Additionally, it is important to ensure that the system is configured to prevent users from accessing areas of the system that they do not have permission to access.

Key Benefits

• Path injection prevention: This rule prevents malicious users from entering a path to a file or directory that they are not authorized to access.
• Path transversal prevention: This rule prevents malicious users from attempting to access files and directories that they are not authorized to access by using a relative path.

Non-compliant Code Example

global function string testDelete (string docname)
boolean lb_exist
string ls_docname
ve_filehelper_utils helper

lb_exist = FileExists(docname)

FileDelete(docname) //Non compliant code

helper.FileDelete(docname)

Return docname
end function

Compliant Code Example

global function string testDelete (string docname)
boolean lb_exist
string ls_docname
ve_filehelper_utils helper

string verifiedPath = this.of_verifypath(docname) //Compliant code

lb_exist = FileExists(verifiedPath)

FileDelete(verifiedPath) //Compliant code

Return verifiedPath
end function