Security Vulnerability: Tainted Input on Guids (C#)

Version used: SonarCloud

We have a controller that accepts a resourceId from the user, and casts it as a Guid.
We verify it is not Guid.Empty, and if not, proceed to create a server filepath that includes that Guid as part of it.

SonarCloud is complaining with Security Vulnerability: Refactor this code to not construct the path from tainted, user-controlled data.

However, from my research, seems like casting the user input as a Guid is enough to sanitize.

False positive?

Code Snippet:

[Route("Receipts"), HttpPost]
    public async Task<IHttpActionResult> DownloadReceipts(Guid requestId)
    {
        if (receiptsRequestId == Guid.Empty) { throw new ArgumentException("Invalid request id."); }
        await DownloadReceipts(requestId);
        return Ok();
    }

public async Task DownloadReceipts(Guid requestId)
    {
        //...
        string requestDirectoryPath = $"{tempReceiptDirectoryPath}/{requestId}";
        Directory.CreateDirectory(requestDirectoryPath);
        //...

Hello @dbJones,

Thanks for the feedback.

I confirm you are right and SonarCloud should not consider {{Guid}} as a potential source of an attack because the accepted format of Guid (https://docs.microsoft.com/en-us/dotnet/api/system.guid.tostring?view=netframework-4.8#System_Guid_ToString) doesn’t allow dangerous characters to be included in. It only accept digits or hyphens.
When the requestId is handled in the Task method, it is already sanitized by the automatic casting to Guid performed by ASP.NET. It should be considered as safe here.

I created https://jira.sonarsource.com/browse/SONARSEC-1022 to fix that problem (private ticket). Meanwhile, you will have to mark the issue as a False-Positive.

Alex

Hello,

FYI, SONARSEC-1022 was fixed and deployed on SonarCloud. You should no longer see such vulnerability raised involving Guid objects.

Regards
Alex

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.