ASP.NET
A set of technologies in the .NET Framework for building web applications and XML web services.
1,478 questions
Checkmarx Connection String Injection Issue on Excel File Uplaod
MUHAMMAD AZEEM AZAM
1
Reputation point
I'm using Checkmarx that scans source code and identifies security vulnerabilities within the code
<asp:FileUpload ID="fuXlsWorkflow" runat="server" EnableViewState="true" />
<asp:RegularExpressionValidator ID="RegularExpressionValidator1" runat="server" ErrorMessage="<%$ Resources:Message,ERR_FORMAT%>" ValidationExpression="^([a-zA-Z]|\x20|\x2E|:|\|[0-9])*.(xls|xlsx)$" ControlToValidate="fuXlsWorkflow" />
checkmarx detects a vulnerability on fuXlsWorkflow.FileName
file name is also passed to OLEDB Connection string.
i did tried HtmlEncode, but it didn't worked out.
ASP.NET
C#
C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
8,167 questions
ASP.NET API
ASP.NET API
ASP.NET: A set of technologies in the .NET Framework for building web applications and XML web services.API: A software intermediary that allows two applications to interact with each other.
205 questions
{count} votes
-
QiYou-MSFT 2,761 Reputation points Microsoft Vendor
2022-11-21T09:48:07.343+00:00 Hi @MUHAMMAD AZEEM AZAM ,
Can you provide the code information of the backend? I'm sorry for the front-end code in your issue description, I had a hard time reproducing the issue.Best Regards,
Qi You -
MUHAMMAD AZEEM AZAM 1 Reputation point
2022-11-21T16:49:53.233+00:00 Connection String Injection in Bottom Issues
ole Db Connection String i have is
string Connectionstring = "Provider=Microsoft.ACE.OLEDB.12.0; DataSource="+filepath+filename+"; Extended Properties=\"Excel 12.0 Xml;HDR=YES;IMEX=1\""
Issue With File Name in CheckMarx
Second Issue withBottom File Name with CheckMarx
string filename = Syste.IO.Path.Getfilenamewithoutextension(fuXlsWorkflow.FileName);
-
Viorel 94,416 Reputation points2022-11-21T17:42:38.587+00:00 Probably the original filename is not important. Maybe you can generate any filename (using Path.GetRandomFileName, for example), save the data using fuXlsWorkflow.SaveAs, then use the new filename in your connection string.
Sign in to comment