Possible false positive "Uncontrolled data used in path expression" still after stripping path from input. #18225
Description
The .NET System.IO.Path.GetFileName will take a path, relative or otherwise, and return only the filename part. I am using this to sanitize the input to a Download action that serves files from a hardcoded folder. The initial code looked like this, which is in fact vulnerable:
[HttpGet]
public IActionResult Download(string fileName)
{
string filesDir = "Files\\FilesToServe";
string filePath = Path.Combine(filesDir, fileName);
if (System.IO.File.Exists(filePath))
{
FileStream fs = new FileStream(filePath, FileMode.Open);
return File(fs, "text/plain", fileName);
}
return NotFound();
}
Corrective action was taken so that only a file name with no additional path will be used to look for the file:
[HttpGet]
public IActionResult Download(string fileName)
{
string strippedFileName = Path.GetFileName(fileName);
string filesDir = "Files\\FilesToServe";
string filePath = Path.Combine(filesDir, strippedFileName);
if (System.IO.File.Exists(filePath))
{
FileStream fs = new FileStream(filePath, FileMode.Open);
return File(fs, "text/plain", strippedFileName);
}
return NotFound();
}
This still detects "Uncontrolled data used in path expression (cs/path-injection)" for filePath even though it has been tested to no longer serve files outside of filesDir when passing in parameters such as "../../../FileThatShouldntBeServed.txt".