Path.Combine Vulnerabillity not detected

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    Community,, Azure Devops Server with SonarQube Extension

  • how is SonarQube deployed: zip, Docker, Helm

  • what are you trying to achieve
    Vulnerability with Path.Combine was not detected. It’s a C# Asp.Net MVC Application. There is an http endpoint in a controller called uploadFile with String filename as parameter. There is a null check after that and nothing else. Later in the code it will be combined with Path.Combine(uploadPath, filename). This is a serious issue because of the odd behavior of Path.Combine with absolute paths.

  • what have you tried so far to achieve this
    After finding this issue we wondered why such a trivial case was not detected by sonarqube.


Welcome to the community and thanks for this report!

Could you provide a compact reproducer, please?