Our client uses Veracode scanning tool to scan ASP.NET Application. We have solved many flaws except for the below.
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
(CWE ID 113)(1 flaw) in the line
HttpContext.Current.Response.AddHeader("Content-Disposition", contentDisposition);
This is the corresponding code:
public static void DownloadFile(string fileName, byte[] dByteData, bool isNoOpen = false)
{
byte[] fileContents = new byte[] { };
string contentDisposition = string.Empty;
fileContents = dByteData;
if (string.IsNullOrWhiteSpace(fileName))
{
return;
}
fileName = fileName.Replace("\n", "").Replace("\r", "");
string contentType = "application/*.".Replace("\n", "").Replace("\r", "");
contentDisposition = "attachment; filename=\"" + HttpContext.Current.Server.UrlPathEncode(fileName) + "\"";//While Downloading file - file name comes with junk characters
contentDisposition= contentDisposition.Replace("\n", "").Replace("\r", "");
HttpContext.Current.Response.Buffer = true;
HttpContext.Current.Response.Clear();
HttpContext.Current.Response.ClearContent();
HttpContext.Current.Response.ClearHeaders();
HttpContext.Current.Response.Charset = "";
HttpContext.Current.Response.ContentType = contentType;
if (isNoOpen)
{
HttpContext.Current.Response.AddHeader("X-Download-Options", "noopen");
}
HttpContext.Current.Response.AddHeader("Content-Disposition", contentDisposition);
HttpContext.Current.Response.AddHeader("Content-Length", fileContents.Length.ToString());
HttpContext.Current.Response.BinaryWrite(fileContents.ToArray());
HttpContext.Current.Response.End();
HttpContext.Current.Response.Flush();
HttpContext.Current.ApplicationInstance.CompleteRequest();
}
External Control of File Name or Path (CWE ID 73)
if (File.Exists(filePath))
{
File.Delete(filePath);
}
It shows error in File.Delete
line. We have tried sanitizing filepath and also used Path.GetFullpath
but to vain only.