Vulnerability Change this code to not construct the path from user-controlled data

Vasantha_Kumar · September 27, 2023, 7:27am

I changed the code based on SonarQube suggestion. but still showing vulnerability. someone please help us.

byte[] blobData = blob.Buffer;
				strTempPath = strTempPath + @"\jpeg";                
                string strNewFilePath = string.Empty;
                strNewFilePath = Path.GetFullPath(System.IO.Path.Combine(strTempPath, savedFilePath.Substring(savedFilePath.LastIndexOf(@"\") + 1)));
                string fullDestDirPath = Path.GetFullPath(strTempPath + Path.DirectorySeparatorChar);                
                if (strNewFilePath.StartsWith(fullDestDirPath, StringComparison.Ordinal)) {
                    blobData = File.ReadAllBytes(strNewFilePath);
                } else
                {
                    throw new IOException("Attempting to read bytes");
                }

Colin · September 29, 2023, 8:33am

Hey there.

What version of SonarQube are you using?

Vasantha_Kumar · September 29, 2023, 9:50am

Hi,

kindly find below SonarQube version details.

Enterprise Edition
Version 8.9.7 (build 52159)

Colin · September 29, 2023, 11:01am

Hi,

Your version is past EOL. You should upgrade to either the latest version or the current LTS at your earliest convenience. Your upgrade path is:

8.9.7 → 9.9.2 → 10.2.1 (last step optional)

You may find these resources helpful:

If you have questions about upgrading, feel free to open a new thread for that here.

If your issue persists after upgrade, please come back to us.