[研究]ASP.NET, WebForm, 程式 File.Open 被 Fortify SCA 報告有 Portability Flaw File Separator (Medium) 問題
2024-04-02
環境:Visual Studio 2022 + ASP.NET + WebForm + Web Application + C# + SQL Server 2019 + SQL Server Management Studio (SSMS) 19
********************************************************************************
ASP.NET, WebForm, 下面程式其中 using (FileStream fs = File.Open(openFilename, FileMode.Open)) 被 Fortify SCA 報告有 portability flaw file separator 問題
報告提供建議為
FileStream f = File.Create(directoryName + Path.DirectorySeparatorChar.ToString() + fileName);
********************************************************************************
實際測試
Default.aspx
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs" Inherits="WebApplication1.Default" %> <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml"> <head runat="server"> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <title></title> </head> <body> <form id="form1" runat="server"> <asp:FileUpload ID="FileUpload1" runat="server" /> <asp:Button ID="Button1" runat="server" Text="Button" OnClick="Button1_Click" /> <asp:Button ID="Button2" runat="server" Text="Button" OnClick="Button2_Click" /> <asp:Button ID="Button3" runat="server" OnClick="Button3_Click" Text="Button" /> <asp:Button ID="Button4" runat="server" OnClick="Button4_Click" Text="Button" /> </form> </body> </html> |
Default.aspx.cs
using System; using System.IO; namespace WebApplication1 { public partial class Default : System.Web.UI.Page { protected void Page_Load(object sender, EventArgs e) { } protected void Button1_Click(object sender, EventArgs e) { string fd = @"D:\Temp"; string mainFileName = Path.GetFileNameWithoutExtension(FileUpload1.FileName); string openFilename = fd + mainFileName + "-匯入結果" + DateTime.Now.ToString("yyyy-MM-dd-HH-mm-ss-fff") + ".ods"; FileUpload1.SaveAs(openFilename); using (FileStream fs = File.Open(openFilename, FileMode.Open)) { } } protected void Button2_Click(object sender, EventArgs e) { string fd = @"D:\Temp"; string mainFileName = Path.GetFileNameWithoutExtension(FileUpload1.FileName); string openFilename = Path.Combine(fd, mainFileName + "-匯入結果" + DateTime.Now.ToString("yyyy-MM-dd-HH-mm-ss-fff") + ".ods"); FileUpload1.SaveAs(openFilename); using (FileStream fs = File.Open(openFilename, FileMode.Open)) { // do something } } protected void Button3_Click(object sender, EventArgs e) { string fd = @"D:\Temp"; string mainFileName = Path.GetFileNameWithoutExtension(FileUpload1.FileName); string openFilename = fd + mainFileName + "-匯入結果" + DateTime.Now.ToString("yyyy-MM-dd-HH-mm-ss-fff") + ".ods"; openFilename = openFilename.Replace('/', Path.DirectorySeparatorChar).Replace('\\', Path.DirectorySeparatorChar); FileUpload1.SaveAs(openFilename); using (FileStream fs = File.Open(openFilename, FileMode.Open)) { // do something } } protected void Button4_Click(object sender, EventArgs e) { string fd = @"D:\Temp"; string mainFileName = Path.GetFileNameWithoutExtension(FileUpload1.FileName); string openFilename = Path.Combine(fd, mainFileName + "-匯入結果" + DateTime.Now.ToString("yyyy-MM-dd-HH-mm-ss-fff") + ".ods"); openFilename = openFilename.Replace('/', Path.DirectorySeparatorChar).Replace('\\', Path.DirectorySeparatorChar); FileUpload1.SaveAs(openFilename); using (FileStream fs = File.Open(openFilename, FileMode.Open)) { // do something } } } } |
Fortify SCA依然報告有問題 (黃色),暫時不知 Fortify SCA 要怎樣才滿意。
相關
[研究]ASP.NET, WebForm, 程式 File.Open 被 Fortify SCA 報告有 Portability Flaw File Separator (Medium) 問題
https://shaurong.blogspot.com/2024/04/aspnet-webform-fileopen-fortify-sca.html
[研究]ASP.NET, Fortify SCA 報告CreateDirectory()有 Portability Flaw: File Separator (可移植性 缺陷檔案分隔符) 問題
https://shaurong.blogspot.com/2024/03/aspnet-fortify-sca-createdirectory-path.html
沒有留言:
張貼留言