You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have used Veracode to scan Akavache library and it has come up with this issue:
Description
Allowing user input to control paths used in filesystem operations may enable an attacker to access or modify otherwise
protected system resources that would normally be inaccessible to end users. In some cases, the user-provided input may be
passed directly to the filesystem operation, or it may be concatenated to one or more fixed strings to construct a fully-qualified
path.
When an application improperly cleanses special character sequences in user-supplied filenames, a path traversal (or
directory traversal) vulnerability may occur. For example, an attacker could specify a filename such as "../../etc/passwd",
which resolves to a file outside of the intended directory that the attacker would not normally be authorized to view.
Recommendations
Assume all user-supplied input is malicious. Validate all user-supplied input to ensure that it conforms to the expected format,
using centralized data validation routines when possible. When using black lists, be sure that the sanitizing routine performs a
sufficient number of iterations to remove all instances of disallowed characters and ensure that the end result is not
dangerous.
This call contains a path manipulation flaw. The argument to the function is a filename constructed using untrusted
input. If an attacker is allowed to specify all or part of the filename, it may be possible to gain unauthorized access to
files on the server, including those outside the webroot, that would be normally be inaccessible to end users. The level
of exposure depends on the effectiveness of input validation routines, if any.
Recommendations
Validate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines
when possible. When using black lists, be sure that the sanitizing routine performs a sufficient number of iterations to
remove all instances of disallowed characters.
The text was updated successfully, but these errors were encountered:
We have used Veracode to scan Akavache library and it has come up with this issue:
Description
Allowing user input to control paths used in filesystem operations may enable an attacker to access or modify otherwise
protected system resources that would normally be inaccessible to end users. In some cases, the user-provided input may be
passed directly to the filesystem operation, or it may be concatenated to one or more fixed strings to construct a fully-qualified
path.
When an application improperly cleanses special character sequences in user-supplied filenames, a path traversal (or
directory traversal) vulnerability may occur. For example, an attacker could specify a filename such as "../../etc/passwd",
which resolves to a file outside of the intended directory that the attacker would not normally be authorized to view.
Recommendations
Assume all user-supplied input is malicious. Validate all user-supplied input to ensure that it conforms to the expected format,
using centralized data validation routines when possible. When using black lists, be sure that the sanitizing routine performs a
sufficient number of iterations to remove all instances of disallowed characters and ensure that the end result is not
dangerous.
The specific reference is to:
https://github.com/reactiveui/Akavache/blob/main/src/Akavache.Sqlite3/SQLite.cs#L3464
https://github.com/reactiveui/Akavache/blob/main/src/Akavache.Sqlite3/SQLite.cs#L3469
Description
This call contains a path manipulation flaw. The argument to the function is a filename constructed using untrusted
input. If an attacker is allowed to specify all or part of the filename, it may be possible to gain unauthorized access to
files on the server, including those outside the webroot, that would be normally be inaccessible to end users. The level
of exposure depends on the effectiveness of input validation routines, if any.
Recommendations
Validate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines
when possible. When using black lists, be sure that the sanitizing routine performs a sufficient number of iterations to
remove all instances of disallowed characters.
The text was updated successfully, but these errors were encountered: