Veracode directory traversal Issue c#

Question

I have this code that stores file to server:

function void StoreFile(string inputFileName) {
   ...

   var extension = Path.GetExtension(inputFileName);
   if(extension == ".csv") {
       var fileName = string.Format("{0}_{1}{2}", Session.SessionID, new Guid(), extension);

       var dataFileServerPath = _documentService.getPath(fileName, UserProfile.UserName, UserProfile.SourceID);

       if(!string.IsNullOrEmpty(dataFileServerPath)) {
           try {
              using(FileStream dataFile = new FileStream(dataFileServerPath, FileMode.Create))  { .... }
           }
           cathc(Exception e) { ... }    
       }
    }    
    else {
        throw new NotSupportedFormatError();
    }
}

Aftrer Veracode analyze I get Directory Traverse Issue on line FileStream dataFile = new FileStream(dataFileServerPath, FileMode.Create)

Why am I getting this issue there, I've checked if file extension is valid for my case and passed that value in fileName. Is this security issues and how to solve this issue?

_documentService.getPath just appends path from web.config and filename for specific user, it's not related to user input.

Answer 1

According to the code you've posted here, that looks like a false positive.

Veracode is apparently tracking the inputFileName variable (which I assume contains unvalidated user input), and notes that it influences the extension variable. Since you later embed extension directly into the filename, and read the file that points at, Veracode sees that it is possible that a malicious user would embed a partial path in inputFileName which would then change the directory of the target file...

In this case, Veracode is missing the fact that you already performed input validation (the extension == ".csv" check), and absolutely constrained the relevant part of the input to a tight whitelist.

Assuming there is no other relevant bits of code missing from your question, this is safe to mark as false positive.

Answer 2

There's no real way for static analyzers to reliably verify that you are in fact not using user input. They tend to err on the side of being overly cautious, thereby producing false-positive warnings.