[研究]ASP.NET, WebForm, 程式 File.Open 被 Fortify SCA 報告有 Portability Flaw File Separator (Medium) 問題
2024-04-02
環境:Visual Studio 2022 + ASP.NET + WebForm + Web Application + C# + SQL Server 2019 + SQL Server Management Studio (SSMS) 19
********************************************************************************
ASP.NET, WebForm, 下面程式其中 using (FileStream fs = File.Open(openFilename, FileMode.Open)) 被 Fortify SCA 報告有 portability flaw file separator 問題
報告提供建議為
FileStream f = File.Create(directoryName + Path.DirectorySeparatorChar.ToString() + fileName);
********************************************************************************
實際測試
Default.aspx
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs"
Inherits="WebApplication1.Default" %>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title></title>
</head>
<body>
<form id="form1" runat="server">
<asp:FileUpload ID="FileUpload1" runat="server" />
<asp:Button ID="Button1" runat="server" Text="Button" OnClick="Button1_Click" />
<asp:Button ID="Button2" runat="server" Text="Button" OnClick="Button2_Click" />
<asp:Button ID="Button3" runat="server" OnClick="Button3_Click" Text="Button" />
<asp:Button ID="Button4" runat="server" OnClick="Button4_Click" Text="Button" />
</form>
</body>
</html> |
Default.aspx.cs
using System;
using System.IO;
namespace WebApplication1
{
public partial class Default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
protected void Button1_Click(object sender, EventArgs e)
{
string fd = @"D:\Temp";
string mainFileName = Path.GetFileNameWithoutExtension(FileUpload1.FileName);
string openFilename = fd + mainFileName + "-匯入結果" + DateTime.Now.ToString("yyyy-MM-dd-HH-mm-ss-fff") + ".ods";
FileUpload1.SaveAs(openFilename);
using (FileStream fs = File.Open(openFilename, FileMode.Open))
{
}
}
protected void Button2_Click(object sender, EventArgs e)
{
string fd = @"D:\Temp";
string mainFileName = Path.GetFileNameWithoutExtension(FileUpload1.FileName);
string openFilename = Path.Combine(fd, mainFileName + "-匯入結果" + DateTime.Now.ToString("yyyy-MM-dd-HH-mm-ss-fff") + ".ods");
FileUpload1.SaveAs(openFilename);
using (FileStream fs = File.Open(openFilename, FileMode.Open))
{
// do something
}
}
protected void Button3_Click(object sender, EventArgs e)
{
string fd = @"D:\Temp";
string mainFileName = Path.GetFileNameWithoutExtension(FileUpload1.FileName);
string openFilename = fd + mainFileName + "-匯入結果" + DateTime.Now.ToString("yyyy-MM-dd-HH-mm-ss-fff") + ".ods";
openFilename = openFilename.Replace('/', Path.DirectorySeparatorChar).Replace('\\', Path.DirectorySeparatorChar);
FileUpload1.SaveAs(openFilename);
using (FileStream fs = File.Open(openFilename, FileMode.Open))
{
// do something
}
}
protected void Button4_Click(object sender, EventArgs e)
{
string fd = @"D:\Temp";
string mainFileName = Path.GetFileNameWithoutExtension(FileUpload1.FileName);
string openFilename = Path.Combine(fd, mainFileName + "-匯入結果" + DateTime.Now.ToString("yyyy-MM-dd-HH-mm-ss-fff") + ".ods");
openFilename = openFilename.Replace('/', Path.DirectorySeparatorChar).Replace('\\', Path.DirectorySeparatorChar);
FileUpload1.SaveAs(openFilename);
using (FileStream fs = File.Open(openFilename, FileMode.Open))
{
// do something
}
}
}
}
|
Fortify SCA依然報告有問題 (黃色),暫時不知 Fortify SCA 要怎樣才滿意。
相關
[研究]ASP.NET, WebForm, 程式 File.Open 被 Fortify SCA 報告有 Portability Flaw File Separator (Medium) 問題
https://shaurong.blogspot.com/2024/04/aspnet-webform-fileopen-fortify-sca.html
[研究]ASP.NET, Fortify SCA 報告CreateDirectory()有 Portability Flaw: File Separator (可移植性 缺陷檔案分隔符) 問題
https://shaurong.blogspot.com/2024/03/aspnet-fortify-sca-createdirectory-path.html
沒有留言:
張貼留言