2024年4月3日 星期三

[研究]ASP.NET, WebForm, 程式 File.Open 被 Fortify SCA 報告有 Portability Flaw File Separator (Medium) 問題

[研究]ASP.NET, WebForm, 程式 File.Open 被 Fortify SCA 報告有 Portability Flaw File Separator (Medium) 問題

2024-04-02

環境:Visual Studio 2022 + ASP.NET + WebForm + Web Application + C# + SQL Server 2019 + SQL Server Management Studio (SSMS) 19

********************************************************************************

ASP.NET, WebForm, 下面程式其中  using (FileStream fs = File.Open(openFilename, FileMode.Open)) 被 Fortify SCA 報告有 portability flaw file separator 問題

報告提供建議為

FileStream f = File.Create(directoryName + Path.DirectorySeparatorChar.ToString() + fileName);

********************************************************************************

實際測試

Default.aspx

<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs" 
    Inherits="WebApplication1.Default" %>

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
    <title></title>
</head>
<body>
    <form id="form1" runat="server">
        <asp:FileUpload ID="FileUpload1" runat="server" />
        <asp:Button ID="Button1" runat="server" Text="Button" OnClick="Button1_Click" />
        <asp:Button ID="Button2" runat="server" Text="Button" OnClick="Button2_Click" />
        <asp:Button ID="Button3" runat="server" OnClick="Button3_Click" Text="Button" />
        <asp:Button ID="Button4" runat="server" OnClick="Button4_Click" Text="Button" />
    </form>
</body>
</html>

Default.aspx.cs

using System;
using System.IO;

namespace WebApplication1
{
    public partial class Default : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {

        }

        protected void Button1_Click(object sender, EventArgs e)
        {
            string fd = @"D:\Temp";
            string mainFileName = Path.GetFileNameWithoutExtension(FileUpload1.FileName);
            string openFilename = fd + mainFileName + "-匯入結果" + DateTime.Now.ToString("yyyy-MM-dd-HH-mm-ss-fff") + ".ods";
            FileUpload1.SaveAs(openFilename);
            using (FileStream fs = File.Open(openFilename, FileMode.Open))
            {
            }
        }

        protected void Button2_Click(object sender, EventArgs e)
        {
            string fd = @"D:\Temp";
            string mainFileName = Path.GetFileNameWithoutExtension(FileUpload1.FileName);
            string openFilename = Path.Combine(fd, mainFileName + "-匯入結果" + DateTime.Now.ToString("yyyy-MM-dd-HH-mm-ss-fff") + ".ods");
            FileUpload1.SaveAs(openFilename);
            using (FileStream fs = File.Open(openFilename, FileMode.Open))
            {
                // do something
            }
        }

        protected void Button3_Click(object sender, EventArgs e)
        {
            string fd = @"D:\Temp";
            string mainFileName = Path.GetFileNameWithoutExtension(FileUpload1.FileName);
            string openFilename = fd + mainFileName + "-匯入結果" + DateTime.Now.ToString("yyyy-MM-dd-HH-mm-ss-fff") + ".ods";
            openFilename = openFilename.Replace('/', Path.DirectorySeparatorChar).Replace('\\', Path.DirectorySeparatorChar);
            FileUpload1.SaveAs(openFilename);
            using (FileStream fs = File.Open(openFilename, FileMode.Open))
            {
                // do something
            }
        }

        protected void Button4_Click(object sender, EventArgs e)
        {
            string fd = @"D:\Temp";
            string mainFileName = Path.GetFileNameWithoutExtension(FileUpload1.FileName);
            string openFilename = Path.Combine(fd, mainFileName + "-匯入結果" + DateTime.Now.ToString("yyyy-MM-dd-HH-mm-ss-fff") + ".ods");
            openFilename = openFilename.Replace('/', Path.DirectorySeparatorChar).Replace('\\', Path.DirectorySeparatorChar);
            FileUpload1.SaveAs(openFilename);
            using (FileStream fs = File.Open(openFilename, FileMode.Open))
            {
                // do something
            }
        }
    }
}


Fortify SCA依然報告有問題 (黃色),暫時不知 Fortify SCA 要怎樣才滿意。

(待續)

相關

[研究]ASP.NET, WebForm, 程式 File.Open 被 Fortify SCA 報告有 Portability Flaw File Separator (Medium) 問題
https://shaurong.blogspot.com/2024/04/aspnet-webform-fileopen-fortify-sca.html

[研究]ASP.NET, Fortify SCA 報告CreateDirectory()有 Portability Flaw: File Separator (可移植性 缺陷檔案分隔符) 問題
https://shaurong.blogspot.com/2024/03/aspnet-fortify-sca-createdirectory-path.html

沒有留言:

張貼留言