Path.Combine Vulnerabillity not detected

Rules and Languages Report False-positive / False-negative...
,
1

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    Community, 10.3.0.82913, Azure Devops Server with SonarQube Extension

  • how is SonarQube deployed: zip, Docker, Helm
    Zip

  • what are you trying to achieve
    Vulnerability with Path.Combine was not detected. It’s a C# Asp.Net MVC Application. There is an http endpoint in a controller called uploadFile with String filename as parameter. There is a null check after that and nothing else. Later in the code it will be combined with Path.Combine(uploadPath, filename). This is a serious issue because of the odd behavior of Path.Combine with absolute paths.

  • what have you tried so far to achieve this
    After finding this issue we wondered why such a trivial case was not detected by sonarqube.

2

Hi,

Welcome to the community and thanks for this report!

Could you provide a compact reproducer, please?

 
Thx,
Ann

3

The Path.Combine method in .NET is frequently susceptible to Path Traversal (Directory Traversal) vulnerabilities (CWE-22) when used with untrusted user input. While its primary purpose is to safely concatenate path strings, its specific behavior with absolute and relative paths can be exploited by attackers to access files outside of the intended directory.

Core Vulnerability Mechanisms

There are two primary ways Path.Combine is exploited:

  • Absolute Path Injection: If any argument passed to Path.Combine is an absolute path (e.g., C:\Windows\System32), the method ignores all previous arguments and returns that absolute path. An attacker providing C:\secrets.txt as a filename will bypass the intended base directory entirely.

  • Relative Path Traversal: Using special character sequences like ../ (dot-dot-slash) allows an attacker to navigate up the directory tree. For example, combining C:\App\Uploads with ../../Windows/System32 results in C:\Windows\System32

The problem is there isn’t one fix. In newer .NET you can use Path.Join to solve Absolute Path Injection, but you need to write custom sanitization/validation to solve Relative Path Traversal.

5

Hey Everyone,

I am noticing that you use Community, and this is why there’s no path traversal detection: Our “taint analysis” engine is only available on the paid versions of SonarQube Server (Or for free on SonarCloud).

You would have raised issue S2083.