User input should not allow path injection or path transversal attacks
- Data entered by users such as URL parameters or cookies should be considered suspicious. If your code dynamically generates a file system path from this data, a hacker could inject specific values such as '../' and change the originally intended path.
- These attacks are often called "path traversal" or "directory traversal". They allow the attacker to access forbidden directories to read, modify or delete sensitive data or execute operating system commands.
- Visual Expert will identify the code introducing such vulnerabilities to let you sanitize it.
- A possible defense strategy consists in defining a whitelist of authorized paths or characters.
Non-compliant Code Example
global function string testDelete (string docname) boolean lb_exist string ls_docname ve_filehelper_utils helper lb_exist = FileExists(docname) FileDelete(docname) //Non compliant code helper.FileDelete(docname) Return docname end function