How to fix ‘Path Manipulation’ issue from Fortify scan report for tthe following code sample


Jackson is right, this is a direct File Path Manipulation vulnerability that can be fixed through indirect selection. From your known directory, list all the files. Use the value coming from your own directory list, not the user-supplied value.

String rName = Request.QueryString["reportName"];
String knownPath = "C:\\hari";
DirectoryInfo di = new DirectoryInfo(knownPath);
FileInfo[] files = di.GetFiles(rName);

if (files.length > 0)

I think the problem is that someone could spoof a request with reportName = "..\\Windows\\Something important" which is clearly a security flaw. You need to change your code so that it doesn't read a partial filename from the request query string.