High | Path/Directory Traversal |
CWE-22
|
StorageLocalProvider.cs:132
| 2 | 2024-07-30 05:13am |
Vulnerable Code
|
|
|
private async Task<string> WriteAsync(string path, byte[] bytes) |
|
{ |
|
var storagePath = Path.Combine(_pathLocalRoot, path); |
|
var directoryPath = Path.GetDirectoryName(storagePath)!; |
|
if (!Directory.Exists(directoryPath)) Directory.CreateDirectory(directoryPath); |
2 Data Flow/s detected
View Data Flow 1
|
var coverUrl = await storageManager.UploadImagesBase64(uploadAt, userId, post.Cover); |
|
public string? Cover { get; set; } |
|
var coverUrl = await storageManager.UploadImagesBase64(uploadAt, userId, post.Cover); |
|
public async Task<string> UploadImagesBase64(DateTime uploadAt, int userid, string dataOrUrl) |
View remaining steps
|
Slug = await WriteAsync(path, bytes), |
|
private async Task<string> WriteAsync(string path, byte[] bytes) |
|
var storagePath = Path.Combine(_pathLocalRoot, path); |
|
var directoryPath = Path.GetDirectoryName(storagePath)!; |
|
if (!Directory.Exists(directoryPath)) Directory.CreateDirectory(directoryPath); |
View Data Flow 2
|
var coverUrl = await storageManager.UploadImagesBase64(uploadAt, userId, post.Cover); |
|
public string? Cover { get; set; } |
|
var coverUrl = await storageManager.UploadImagesBase64(uploadAt, userId, post.Cover); |
|
public async Task<string> UploadImagesBase64(DateTime uploadAt, int userid, string dataOrUrl) |
View remaining steps
|
Slug = await WriteAsync(path, bytes), |
|
private async Task<string> WriteAsync(string path, byte[] bytes) |
|
var storagePath = Path.Combine(_pathLocalRoot, path); |
|
var directoryPath = Path.GetDirectoryName(storagePath)!; |
|
if (!Directory.Exists(directoryPath)) Directory.CreateDirectory(directoryPath); |
Secure Code Warrior Training Material
● Training
▪ Secure Code Warrior Path/Directory Traversal Training
● Videos
▪ Secure Code Warrior Path/Directory Traversal Video
● Further Reading
▪ OWASP Path Traversal
▪ OWASP Input Validation Cheat Sheet
|
|
High | Path/Directory Traversal |
CWE-22
|
StorageLocalProvider.cs:133
| 2 | 2024-07-30 05:13am |
Vulnerable Code
|
private async Task<string> WriteAsync(string path, byte[] bytes) |
|
{ |
|
var storagePath = Path.Combine(_pathLocalRoot, path); |
|
var directoryPath = Path.GetDirectoryName(storagePath)!; |
|
if (!Directory.Exists(directoryPath)) Directory.CreateDirectory(directoryPath); |
|
await File.WriteAllBytesAsync(storagePath, bytes); |
2 Data Flow/s detected
View Data Flow 1
|
var coverUrl = await storageManager.UploadImagesBase64(uploadAt, userId, post.Cover); |
|
public string? Cover { get; set; } |
|
var coverUrl = await storageManager.UploadImagesBase64(uploadAt, userId, post.Cover); |
|
public async Task<string> UploadImagesBase64(DateTime uploadAt, int userid, string dataOrUrl) |
View remaining steps
|
Slug = await WriteAsync(path, bytes), |
|
private async Task<string> WriteAsync(string path, byte[] bytes) |
|
var storagePath = Path.Combine(_pathLocalRoot, path); |
|
var directoryPath = Path.GetDirectoryName(storagePath)!; |
|
await File.WriteAllBytesAsync(storagePath, bytes); |
View Data Flow 2
|
var coverUrl = await storageManager.UploadImagesBase64(uploadAt, userId, post.Cover); |
|
public string? Cover { get; set; } |
|
var coverUrl = await storageManager.UploadImagesBase64(uploadAt, userId, post.Cover); |
|
public async Task<string> UploadImagesBase64(DateTime uploadAt, int userid, string dataOrUrl) |
View remaining steps
|
Slug = await WriteAsync(path, bytes), |
|
private async Task<string> WriteAsync(string path, byte[] bytes) |
|
var storagePath = Path.Combine(_pathLocalRoot, path); |
|
var directoryPath = Path.GetDirectoryName(storagePath)!; |
|
await File.WriteAllBytesAsync(storagePath, bytes); |
Secure Code Warrior Training Material
● Training
▪ Secure Code Warrior Path/Directory Traversal Training
● Videos
▪ Secure Code Warrior Path/Directory Traversal Video
● Further Reading
▪ OWASP Path Traversal
▪ OWASP Input Validation Cheat Sheet
|
|
High | Path/Directory Traversal |
CWE-22
|
StorageLocalProvider.cs:132
| 2 | 2024-07-30 05:13am |
Vulnerable Code
|
|
|
private async Task<string> WriteAsync(string path, byte[] bytes) |
|
{ |
|
var storagePath = Path.Combine(_pathLocalRoot, path); |
|
var directoryPath = Path.GetDirectoryName(storagePath)!; |
|
if (!Directory.Exists(directoryPath)) Directory.CreateDirectory(directoryPath); |
2 Data Flow/s detected
View Data Flow 1
|
var coverUrl = await storageManager.UploadImagesBase64(uploadAt, userId, post.Cover); |
|
public string? Cover { get; set; } |
|
var coverUrl = await storageManager.UploadImagesBase64(uploadAt, userId, post.Cover); |
|
public async Task<string> UploadImagesBase64(DateTime uploadAt, int userid, string dataOrUrl) |
View remaining steps
|
Slug = await WriteAsync(path, bytes), |
|
private async Task<string> WriteAsync(string path, byte[] bytes) |
|
var storagePath = Path.Combine(_pathLocalRoot, path); |
|
var directoryPath = Path.GetDirectoryName(storagePath)!; |
|
if (!Directory.Exists(directoryPath)) Directory.CreateDirectory(directoryPath); |
View Data Flow 2
|
var coverUrl = await storageManager.UploadImagesBase64(uploadAt, userId, post.Cover); |
|
public string? Cover { get; set; } |
|
var coverUrl = await storageManager.UploadImagesBase64(uploadAt, userId, post.Cover); |
|
public async Task<string> UploadImagesBase64(DateTime uploadAt, int userid, string dataOrUrl) |
View remaining steps
|
Slug = await WriteAsync(path, bytes), |
|
private async Task<string> WriteAsync(string path, byte[] bytes) |
|
var storagePath = Path.Combine(_pathLocalRoot, path); |
|
var directoryPath = Path.GetDirectoryName(storagePath)!; |
|
if (!Directory.Exists(directoryPath)) Directory.CreateDirectory(directoryPath); |
Secure Code Warrior Training Material
● Training
▪ Secure Code Warrior Path/Directory Traversal Training
● Videos
▪ Secure Code Warrior Path/Directory Traversal Video
● Further Reading
▪ OWASP Path Traversal
▪ OWASP Input Validation Cheat Sheet
|
|
High | Server Side Request Forgery |
CWE-918
|
StorageManager.cs:50
| 2 | 2024-05-20 02:28pm |
Vulnerable Code
|
|
|
public async Task<StorageDto> UploadAsync(DateTime uploadAt, int userid, Uri baseAddress, string url, string? fileName = null) |
|
{ |
|
using var client = _httpClientFactory.CreateClient(); |
|
client.BaseAddress = baseAddress; |
|
using var response = await client.GetAsync(url); |
2 Data Flow/s detected
View Data Flow 1
|
using var response = await client.GetAsync(url); |
View Data Flow 2
|
return await _importManager.WriteAsync(request, userId); |
|
public async Task<IEnumerable<PostEditorDto>> WriteAsync(ImportDto request, int userId) |
|
foreach (var post in request.Posts) |
|
public new List<FrontPostImportDto> Posts { get; set; } = default!; |
|
foreach (var post in request.Posts) |
|
await _storageManager.UploadAsync(publishedAt, user.Id, baseAddress, post.Cover); |
|
public async Task<StorageDto> UploadAsync(DateTime uploadAt, int userid, Uri baseAddress, string url, string? fileName = null) |
|
using var response = await client.GetAsync(url); |
Secure Code Warrior Training Material
● Training
▪ Secure Code Warrior Server Side Request Forgery Training
● Videos
▪ Secure Code Warrior Server Side Request Forgery Video
|
|
High | Path/Directory Traversal |
CWE-22
|
StorageLocalProvider.cs:120
| 4 | 2024-05-20 02:28pm |
Vulnerable Code
|
private async Task<string> WriteAsync(string path, Stream stream) |
|
{ |
|
var storagePath = Path.Combine(_pathLocalRoot, path); |
|
var directoryPath = Path.GetDirectoryName(storagePath)!; |
|
if (!Directory.Exists(directoryPath)) Directory.CreateDirectory(directoryPath); |
|
using var fileStream = new FileStream(storagePath, FileMode.CreateNew); |
4 Data Flow/s detected
View Data Flow 1
|
using var response = await client.GetAsync(url); |
|
fileName = response.Content.Headers.ContentDisposition?.FileNameStar; |
|
path = $"{folder}/{fileName}"; |
|
var storage = await _storageProvider.GetCheckStoragAsync(path); |
|
public async Task<StorageDto?> GetCheckStoragAsync(string path) |
View remaining steps
|
Slug = await WriteAsync(path, stream), |
|
private async Task<string> WriteAsync(string path, Stream stream) |
|
var storagePath = Path.Combine(_pathLocalRoot, path); |
|
var directoryPath = Path.GetDirectoryName(storagePath)!; |
|
using var fileStream = new FileStream(storagePath, FileMode.CreateNew); |
View Data Flow 2
|
var coverUrl = await storageManager.UploadImagesBase64(uploadAt, userId, post.Cover); |
|
public string? Cover { get; set; } |
|
var coverUrl = await storageManager.UploadImagesBase64(uploadAt, userId, post.Cover); |
|
public async Task<string> UploadImagesBase64(DateTime uploadAt, int userid, string dataOrUrl) |
View remaining steps
|
public async Task<StorageDto> AddAsync(DateTime uploadAt, int userid, string path, string fileName, Stream stream, string contentType) |
|
Slug = await WriteAsync(path, stream), |
|
private async Task<string> WriteAsync(string path, Stream stream) |
|
var storagePath = Path.Combine(_pathLocalRoot, path); |
|
using var fileStream = new FileStream(storagePath, FileMode.CreateNew); |
View Data Flow 3
|
var coverUrl = await storageManager.UploadImagesBase64(uploadAt, userId, post.Cover); |
|
public string? Cover { get; set; } |
|
var coverUrl = await storageManager.UploadImagesBase64(uploadAt, userId, post.Cover); |
|
public async Task<string> UploadImagesBase64(DateTime uploadAt, int userid, string dataOrUrl) |
View remaining steps
|
public async Task<StorageDto> AddAsync(DateTime uploadAt, int userid, string path, string fileName, Stream stream, string contentType) |
|
Slug = await WriteAsync(path, stream), |
|
private async Task<string> WriteAsync(string path, Stream stream) |
|
var storagePath = Path.Combine(_pathLocalRoot, path); |
|
using var fileStream = new FileStream(storagePath, FileMode.CreateNew); |
View more Data Flows
Secure Code Warrior Training Material
● Training
▪ Secure Code Warrior Path/Directory Traversal Training
● Videos
▪ Secure Code Warrior Path/Directory Traversal Video
● Further Reading
▪ OWASP Path Traversal
▪ OWASP Input Validation Cheat Sheet
|
|
High | Path/Directory Traversal |
CWE-22
|
StorageLocalProvider.cs:119
| 4 | 2024-05-20 02:28pm |
Vulnerable Code
|
|
|
private async Task<string> WriteAsync(string path, Stream stream) |
|
{ |
|
var storagePath = Path.Combine(_pathLocalRoot, path); |
|
var directoryPath = Path.GetDirectoryName(storagePath)!; |
|
if (!Directory.Exists(directoryPath)) Directory.CreateDirectory(directoryPath); |
4 Data Flow/s detected
View Data Flow 1
|
using var response = await client.GetAsync(url); |
|
fileName = response.Content.Headers.ContentDisposition?.FileNameStar; |
|
path = $"{folder}/{fileName}"; |
|
var storage = await _storageProvider.GetCheckStoragAsync(path); |
|
public async Task<StorageDto?> GetCheckStoragAsync(string path) |
View remaining steps
|
Slug = await WriteAsync(path, stream), |
|
private async Task<string> WriteAsync(string path, Stream stream) |
|
var storagePath = Path.Combine(_pathLocalRoot, path); |
|
var directoryPath = Path.GetDirectoryName(storagePath)!; |
|
if (!Directory.Exists(directoryPath)) Directory.CreateDirectory(directoryPath); |
View Data Flow 2
|
var coverUrl = await storageManager.UploadImagesBase64(uploadAt, userId, post.Cover); |
|
public string? Cover { get; set; } |
|
var coverUrl = await storageManager.UploadImagesBase64(uploadAt, userId, post.Cover); |
|
public async Task<string> UploadImagesBase64(DateTime uploadAt, int userid, string dataOrUrl) |
View remaining steps
|
Slug = await WriteAsync(path, stream), |
|
private async Task<string> WriteAsync(string path, Stream stream) |
|
var storagePath = Path.Combine(_pathLocalRoot, path); |
|
var directoryPath = Path.GetDirectoryName(storagePath)!; |
|
if (!Directory.Exists(directoryPath)) Directory.CreateDirectory(directoryPath); |
View Data Flow 3
|
var coverUrl = await storageManager.UploadImagesBase64(uploadAt, userId, post.Cover); |
|
public string? Cover { get; set; } |
|
var coverUrl = await storageManager.UploadImagesBase64(uploadAt, userId, post.Cover); |
|
public async Task<string> UploadImagesBase64(DateTime uploadAt, int userid, string dataOrUrl) |
View remaining steps
|
Slug = await WriteAsync(path, stream), |
|
private async Task<string> WriteAsync(string path, Stream stream) |
|
var storagePath = Path.Combine(_pathLocalRoot, path); |
|
var directoryPath = Path.GetDirectoryName(storagePath)!; |
|
if (!Directory.Exists(directoryPath)) Directory.CreateDirectory(directoryPath); |
View more Data Flows
Secure Code Warrior Training Material
● Training
▪ Secure Code Warrior Path/Directory Traversal Training
● Videos
▪ Secure Code Warrior Path/Directory Traversal Video
● Further Reading
▪ OWASP Path Traversal
▪ OWASP Input Validation Cheat Sheet
|
|
High | Path/Directory Traversal |
CWE-22
|
StorageLocalProvider.cs:119
| 4 | 2024-05-20 02:28pm |
Vulnerable Code
|
|
|
private async Task<string> WriteAsync(string path, Stream stream) |
|
{ |
|
var storagePath = Path.Combine(_pathLocalRoot, path); |
|
var directoryPath = Path.GetDirectoryName(storagePath)!; |
|
if (!Directory.Exists(directoryPath)) Directory.CreateDirectory(directoryPath); |
4 Data Flow/s detected
View Data Flow 1
|
using var response = await client.GetAsync(url); |
|
fileName = response.Content.Headers.ContentDisposition?.FileNameStar; |
|
path = $"{folder}/{fileName}"; |
|
var storage = await _storageProvider.GetCheckStoragAsync(path); |
|
public async Task<StorageDto?> GetCheckStoragAsync(string path) |
View remaining steps
|
Slug = await WriteAsync(path, stream), |
|
private async Task<string> WriteAsync(string path, Stream stream) |
|
var storagePath = Path.Combine(_pathLocalRoot, path); |
|
var directoryPath = Path.GetDirectoryName(storagePath)!; |
|
if (!Directory.Exists(directoryPath)) Directory.CreateDirectory(directoryPath); |
View Data Flow 2
|
var coverUrl = await storageManager.UploadImagesBase64(uploadAt, userId, post.Cover); |
|
public string? Cover { get; set; } |
|
var coverUrl = await storageManager.UploadImagesBase64(uploadAt, userId, post.Cover); |
|
public async Task<string> UploadImagesBase64(DateTime uploadAt, int userid, string dataOrUrl) |
View remaining steps
|
Slug = await WriteAsync(path, stream), |
|
private async Task<string> WriteAsync(string path, Stream stream) |
|
var storagePath = Path.Combine(_pathLocalRoot, path); |
|
var directoryPath = Path.GetDirectoryName(storagePath)!; |
|
if (!Directory.Exists(directoryPath)) Directory.CreateDirectory(directoryPath); |
View Data Flow 3
|
var coverUrl = await storageManager.UploadImagesBase64(uploadAt, userId, post.Cover); |
|
public string? Cover { get; set; } |
|
var coverUrl = await storageManager.UploadImagesBase64(uploadAt, userId, post.Cover); |
|
public async Task<string> UploadImagesBase64(DateTime uploadAt, int userid, string dataOrUrl) |
View remaining steps
|
Slug = await WriteAsync(path, stream), |
|
private async Task<string> WriteAsync(string path, Stream stream) |
|
var storagePath = Path.Combine(_pathLocalRoot, path); |
|
var directoryPath = Path.GetDirectoryName(storagePath)!; |
|
if (!Directory.Exists(directoryPath)) Directory.CreateDirectory(directoryPath); |
View more Data Flows
Secure Code Warrior Training Material
● Training
▪ Secure Code Warrior Path/Directory Traversal Training
● Videos
▪ Secure Code Warrior Path/Directory Traversal Video
● Further Reading
▪ OWASP Path Traversal
▪ OWASP Input Validation Cheat Sheet
|
|
High | Path/Directory Traversal |
CWE-22
|
StorageLocalProvider.cs:105
| 2 | 2024-05-20 02:28pm |
Vulnerable Code
|
|
|
private void Delete(string path) |
|
{ |
|
var storagePath = Path.Combine(_pathLocalRoot, path); |
|
_logger.LogInformation("file delete: {storagePath}", storagePath); |
|
File.Delete(storagePath); |
2 Data Flow/s detected
View Data Flow 1
|
using var response = await client.GetAsync(url); |
|
fileName = response.Content.Headers.ContentDisposition?.FileNameStar; |
|
path = $"{folder}/{fileName}"; |
|
var storage = await _storageProvider.GetCheckStoragAsync(path); |
|
public async Task<StorageDto?> GetCheckStoragAsync(string path) |
View remaining steps
|
var existsing = Exists(path); |
|
private void Delete(string path) |
|
var storagePath = Path.Combine(_pathLocalRoot, path); |
|
File.Delete(storagePath); |
View Data Flow 2
|
return await _storageManager.UploadAsync(currTime, userId, file); |
|
public async Task<StorageDto?> UploadAsync(DateTime uploadAt, int userid, IFormFile file) |
|
var fileName = GetFileName(file.FileName); |
|
private static string GetFileName(string fileName) |
View remaining steps
|
var existsing = Exists(path); |
|
private void Delete(string path) |
|
var storagePath = Path.Combine(_pathLocalRoot, path); |
|
File.Delete(storagePath); |
Secure Code Warrior Training Material
● Training
▪ Secure Code Warrior Path/Directory Traversal Training
● Videos
▪ Secure Code Warrior Path/Directory Traversal Video
● Further Reading
▪ OWASP Path Traversal
▪ OWASP Input Validation Cheat Sheet
|
|
High | Path/Directory Traversal |
CWE-22
|
StorageLocalProvider.cs:112
| 2 | 2024-05-20 02:28pm |
Vulnerable Code
|
|
|
private bool Exists(string path) |
|
{ |
|
var storagePath = Path.Combine(_pathLocalRoot, path); |
|
_logger.LogInformation("file exists: {storagePath}", storagePath); |
|
return File.Exists(storagePath); |
2 Data Flow/s detected
View Data Flow 1
|
using var response = await client.GetAsync(url); |
|
fileName = response.Content.Headers.ContentDisposition?.FileNameStar; |
|
path = $"{folder}/{fileName}"; |
|
var storage = await _storageProvider.GetCheckStoragAsync(path); |
|
public async Task<StorageDto?> GetCheckStoragAsync(string path) |
|
var existsing = Exists(path); |
|
private bool Exists(string path) |
|
var storagePath = Path.Combine(_pathLocalRoot, path); |
|
return File.Exists(storagePath); |
View Data Flow 2
|
return await _storageManager.UploadAsync(currTime, userId, file); |
|
public async Task<StorageDto?> UploadAsync(DateTime uploadAt, int userid, IFormFile file) |
|
var fileName = GetFileName(file.FileName); |
|
private static string GetFileName(string fileName) |
View remaining steps
|
public async Task<StorageDto?> GetCheckStoragAsync(string path) |
|
var existsing = Exists(path); |
|
private bool Exists(string path) |
|
var storagePath = Path.Combine(_pathLocalRoot, path); |
|
return File.Exists(storagePath); |
Secure Code Warrior Training Material
● Training
▪ Secure Code Warrior Path/Directory Traversal Training
● Videos
▪ Secure Code Warrior Path/Directory Traversal Video
● Further Reading
▪ OWASP Path Traversal
▪ OWASP Input Validation Cheat Sheet
|
|
Medium | Insufficient Transport Layer Protection |
CWE-319
|
EmailManager.cs:137
| 1 | 2024-05-20 02:28pm |
Vulnerable Code
|
{ |
|
var client = new SmtpClient |
|
{ |
|
ServerCertificateValidationCallback = (s, c, h, e) => true |
|
}; |
|
client.Connect(settings.Host, settings.Port, SecureSocketOptions.Auto); |
1 Data Flow/s detected
|
var client = new SmtpClient |
Secure Code Warrior Training Material
● Training
▪ Secure Code Warrior Insufficient Transport Layer Protection Training
● Videos
▪ Secure Code Warrior Insufficient Transport Layer Protection Video
|