Version used: SonarCloud
We have a controller that accepts a resourceId from the user, and casts it as a Guid.
We verify it is not Guid.Empty, and if not, proceed to create a server filepath that includes that Guid as part of it.
SonarCloud is complaining with Security Vulnerability: Refactor this code to not construct the path from tainted, user-controlled data.
However, from my research, seems like casting the user input as a Guid is enough to sanitize.
False positive?
Code Snippet:
[Route("Receipts"), HttpPost]
public async Task<IHttpActionResult> DownloadReceipts(Guid requestId)
{
if (receiptsRequestId == Guid.Empty) { throw new ArgumentException("Invalid request id."); }
await DownloadReceipts(requestId);
return Ok();
}
public async Task DownloadReceipts(Guid requestId)
{
//...
string requestDirectoryPath = $"{tempReceiptDirectoryPath}/{requestId}";
Directory.CreateDirectory(requestDirectoryPath);
//...