icsharpcode
CWE External 73 Control of File Name or Path
Steps to reproduce
A recent Veracode scan on our application using the icsharpcode.sharpzilelib.dll has revealed a vulnerability flaw Vulnerability CWE 73 External Control of File Name or Path. While the version of the file in use is old and we intend to get the latest version. Can you advise if this can be addressed? It is also reported the flaw exploitability status is set to 'Neutral'
public static ZipFile Create(string fileName)
{
if (fileName == null)
{
throw new ArgumentNullException(nameof(fileName));
}
FileStream fs = File.Create(fileName);
return new ZipFile
{
name_ = fileName,
baseStream_ = fs,
isStreamOwner = true
};
}
Expected behavior
Restrict access from the restricted location of the file system
Actual behavior
Vulnerability CWE 73 reported in Veracode scan
This could allow an attacker to access or modify system files or other files that are critical to the application. An attacker can specify a path used in an operation on the filesystem. By specifying the resource, the attacker gains a capability that would not otherwise be permitted.
Please see https://www.veracode.com/security/dotnet/cwe-73
Version of SharpZipLib
0.855.5.452
Obtained from (only keep the relevant lines)
- Compiled from source, commit: source_
- Downloaded from GitHub - Yes
- Package installed using NuGet - Yes
No idea what version 0.855.5.452 is. But if the scan report is pointing to the Create method, then the problem is not in SharpZipLib, but rather in how you are passing the filename to that method.
It's not possible for the library to make out if the path supplied is the intended one or not. If the path is built from user input, your own code needs to sanitize it before passing it to ZipFile.Create.
