使用 checkMarx 工具在代码扫描期间遇到 checkMarx 路径遍历问题

Question

在执行 HttpWebRequest 时遇到 checkMarx 路径遍历问题，

来自 checkmarx 的错误消息： 从 headers 元素获取动态数据。然后，该元素的值在代码中流动，最终用于本地磁盘访问的文件路径中。

我在标头中传递的唯一输入是访问 API 的令牌。有什么办法可以解决这个问题吗？

以下是代码，我从 cookie 中获取令牌并将其与 httpRequest 一起传递。

Dim responseString As String = ExecuteURL("www.mysite.com\action")

Private Function ExecuteURL(ByVal url As String) As String

        Dim basicRequest As HttpWebRequest = DirectCast(WebRequest.Create(url), HttpWebRequest)
        basicRequest.ContentType = "application/json; charset=utf-8"
        basicRequest.Method = "GET"

        Dim cookie As HttpCookie = HttpContext.Current.Request.Cookies("token")
        If Not cookie Is Nothing AndAlso Not String.IsNullOrEmpty(cookie.Value) Then
            basicRequest.Headers.Add("Authorization", "service" + cookie.Value)
        End If
        Dim response As HttpWebResponse
        Try
            response = CType(basicRequest.GetResponse(), HttpWebResponse)
            If Not response Is Nothing Then
                Using streamReader As StreamReader = New StreamReader(response.GetResponseStream())
                    Return streamReader.ReadToEnd()
                End Using
            End If
        Catch ex As System.Net.WebException
            Using streamReader As StreamReader = New StreamReader(ex.Response.GetResponseStream())
                Return streamReader.ReadToEnd()
            End Using
        End Try

        Return String.Empty
    End Function

Answer 1

这也是 owasp 中提到的漏洞之一。为了更好地理解和解决问题，我建议阅读一下 - https://blog.mindedsecurity.com/2018/10/how-to-prevent-path-traversal-in-net.html