ASP.NET Veracode Scanning issues

Question

Our client uses Veracode scanning tool to scan ASP.NET Application. We have solved many flaws except for the below.

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
(CWE ID 113)(1 flaw) in the line  

HttpContext.Current.Response.AddHeader("Content-Disposition", contentDisposition);

This is the corresponding code:

public static void DownloadFile(string fileName, byte[] dByteData, bool isNoOpen = false)
        {

            byte[] fileContents = new byte[] { };
            string contentDisposition = string.Empty;
            fileContents = dByteData;
            if (string.IsNullOrWhiteSpace(fileName))
            {
                return;
            }
            fileName = fileName.Replace("\n", "").Replace("\r", "");
            string contentType = "application/*.".Replace("\n", "").Replace("\r", "");
            contentDisposition = "attachment; filename=\"" + HttpContext.Current.Server.UrlPathEncode(fileName) + "\"";//While Downloading file - file name comes with junk characters
            contentDisposition= contentDisposition.Replace("\n", "").Replace("\r", "");
            HttpContext.Current.Response.Buffer = true;
            HttpContext.Current.Response.Clear();
            HttpContext.Current.Response.ClearContent();
            HttpContext.Current.Response.ClearHeaders();
            HttpContext.Current.Response.Charset = "";
            HttpContext.Current.Response.ContentType = contentType;
            if (isNoOpen)
            {
                HttpContext.Current.Response.AddHeader("X-Download-Options", "noopen");
            }
            HttpContext.Current.Response.AddHeader("Content-Disposition", contentDisposition);
            HttpContext.Current.Response.AddHeader("Content-Length", fileContents.Length.ToString());
            HttpContext.Current.Response.BinaryWrite(fileContents.ToArray());

            HttpContext.Current.Response.End();
            HttpContext.Current.Response.Flush();
            HttpContext.Current.ApplicationInstance.CompleteRequest();
        }

External Control of File Name or Path (CWE ID 73)

if (File.Exists(filePath))
            {
                File.Delete(filePath);
            }

It shows error in File.Delete line. We have tried sanitizing filepath and also used Path.GetFullpath but to vain only.

score 1 · Answer 1 · answered Dec 23 '12 at 17:48

You can get more detailed information about the flaw origin by the call stack analysis (it is available at the Triage flaws section of the Application build scan result in the Veracode Analysis Center). Some Veracode flaws origins are difficult to understand without this information.

score 1 · Answer 2 · answered Apr 20 '13 at 07:12

1

Very often tools like Veracode do not understand the fact that you have sanitised your content. It seems to be missing your Replace() calls. I'd mark this finding as a false positive and move on.

answered Apr 20 '13 at 07:12

Vitaly Osipov

986
5
14

score 0 · Answer 3 · edited May 23 '17 at 19:19

For External Control of File Name or Path (CWE ID 73):

Validate filePath with somethings like:

public ValidatePath(string path) {
    var invalidPathCharacters = System.IO.Path.GetInvalidPathChars();
    foreach (var a in path)
    {
        if (invalidPathCharacters.Contains(a))
        {
            throw new Exception($"Character {a} is an invalid path character for path {path}");
        }
    }
}

Veracode was satisfied in our last scan.

score 0 · Answer 4 · answered Apr 13 '20 at 06:15

0

Use veracode filepathcleanser attribute. see https://help.veracode.com/reader/DGHxSJy3Gn3gtuSIN2jkRQ/CWbscOAsMPyIXqASkLRTnw

answered Apr 13 '20 at 06:15

user13298957

1

It only add a comment in Mitigation Status. How can we turn off the "Remediation Status"? – Blaise Mar 08 '21 at 22:06

ASP.NET Veracode Scanning issues

4 Answers4