S2083 in WinForms classes

In a class inheriting from System.Windows.Forms.Form, something like:

using var sw = new System.IO.StreamWriter(Txt_OutputFilename.Text, false);

will trigger S2083.

Whilst the reasoning would be sound for code executing on a server, with a path from a client, this rule will flag where the desired behaviour is to allow the end user to choose a file to load (i.e. CWE - CWE-36: Absolute Path Traversal (4.2) (mitre.org) is desired for a thick client) - the issues mentioned there are mitigated by the process is running in the context of a given user (unlike a client/server scenario, such as web).

Of course, none of the suggested mitigations make sense when you want to allow the end user to open any file that the operating system allows them to via other tools (e.g. notepad.exe)

1 Like

Hi @RowlandShaw,

thanks for your feedback.

We had an internal discussion and decided to remove the path injection detection for desktop apps. Currently there is no clear ETA yet for this.

1 Like