Developer technologies | ASP.NET | ASP.NET API
A component of ASP.NET for creating RESTful web services that support HTTP-based communication between clients and servers.
Checkmarx Connection String Injection Issue on Excel File Uplaod
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 18%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
MUHAMMAD AZEEM AZAM
1
Reputation point
I'm using Checkmarx that scans source code and identifies security vulnerabilities within the code
<asp:FileUpload ID="fuXlsWorkflow" runat="server" EnableViewState="true" />
<asp:RegularExpressionValidator ID="RegularExpressionValidator1" runat="server" ErrorMessage="<%$ Resources:Message,ERR_FORMAT%>" ValidationExpression="^([a-zA-Z]|\x20|\x2E|:|\|[0-9])*.(xls|xlsx)$" ControlToValidate="fuXlsWorkflow" />
checkmarx detects a vulnerability on fuXlsWorkflow.FileName
file name is also passed to OLEDB Connection string.
i did tried HtmlEncode, but it didn't worked out.
Developer technologies | ASP.NET | ASP.NET API
Developer technologies | ASP.NET | Other
Developer technologies | ASP.NET | Other
A set of technologies in .NET for building web applications and web services. Miscellaneous topics that do not fit into specific categories.
Developer technologies | C#
Developer technologies | C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 4%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EQM%3C/text%3E%3C/svg%3E)
QiYou-MSFT 4,341 Reputation points Microsoft External Staff2022-11-21T09:48:07.343+00:00 Hi @MUHAMMAD AZEEM AZAM ,
Can you provide the code information of the backend? I'm sorry for the front-end code in your issue description, I had a hard time reproducing the issue.Best Regards,
Qi You -
MUHAMMAD AZEEM AZAM 1 Reputation point
2022-11-21T16:49:53.233+00:00 Connection String Injection in Bottom Issues
ole Db Connection String i have is
string Connectionstring = "Provider=Microsoft.ACE.OLEDB.12.0; DataSource="+filepath+filename+"; Extended Properties=\"Excel 12.0 Xml;HDR=YES;IMEX=1\""
Issue With File Name in CheckMarx
Second Issue withBottom File Name with CheckMarx
string filename = Syste.IO.Path.Getfilenamewithoutextension(fuXlsWorkflow.FileName);
-
Viorel 125.2K Reputation points2022-11-21T17:42:38.587+00:00 Probably the original filename is not important. Maybe you can generate any filename (using Path.GetRandomFileName, for example), save the data using fuXlsWorkflow.SaveAs, then use the new filename in your connection string.
Sign in to comment
Sign in to answer