Merge pull request #133 from AndriiLab/alert-autofix-3

AndriiLab · web-flow · commit bafccc1e0bbd · 2025-02-15T17:25:41.000+01:00
Potential fix for code scanning alert no. 3: Uncontrolled data used in path expression
diff --git a/Modules/Promasy.Modules.Files/Services/FileStorage.cs b/Modules/Promasy.Modules.Files/Services/FileStorage.cs
@@ -1,4 +1,5 @@
 ﻿using Promasy.Application.Interfaces;
+using Promasy.Core.Exceptions;
 
 namespace Promasy.Modules.Files.Services;
 
@@ -8,17 +9,18 @@ internal class FileStorage : IFileStorage
 
     public Task<byte[]> ReadFileAsync(string fileName)
     {
-        var path = Path.Combine(Directory.GetCurrentDirectory(), ReportsPath, fileName);
-        if (!File.Exists(path))
-        {
-            return Task.FromResult(Array.Empty<byte>());
-        }
+        Ensure.FileNameSafety(fileName);
 
-        return File.ReadAllBytesAsync(path);
+        var path = Path.Combine(Directory.GetCurrentDirectory(), ReportsPath, fileName);
+        return File.Exists(path)
+            ? File.ReadAllBytesAsync(path)
+            : Task.FromResult(Array.Empty<byte>());
     }
 
     public string GetPathForFile(string fileName)
     {
+        Ensure.FileNameSafety(fileName);
+
         if (!Directory.Exists(Path.Combine(Directory.GetCurrentDirectory(), ReportsPath)))
         {
             Directory.CreateDirectory(Path.Combine(Directory.GetCurrentDirectory(), ReportsPath));
diff --git a/Promasy.Core/Exceptions/Ensure.cs b/Promasy.Core/Exceptions/Ensure.cs
@@ -0,0 +1,16 @@
+﻿using System;
+
+namespace Promasy.Core.Exceptions;
+
+public static class Ensure
+{
+    public static void FileNameSafety(string fileName)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(fileName);
+        
+        if (fileName.Contains("..") || fileName.Contains('/') || fileName.Contains('\\'))
+        {
+            throw new ArgumentException("Invalid file name");
+        }
+    }
+}
