search

pumasecurity / puma-scan

Puma Scan is a software security Visual Studio extension that provides real time, continuous source code analysis as development teams write code. Vulnerabilities are immediately displayed in the development environment as spell check and compiler warnings, preventing security bugs from entering your applications.
https://www.pumascan.com
Mozilla Public License 2.0
447 stars 79 forks source link

SEC0112 false positive #31

Open ericwscott opened 7 years ago

ericwscott commented 7 years ago

Any use of a variable in the File API appears to trigger this warning. The only way I can find to satisfy the analyzer is to use a hard coded string for the file path. Even the secure example code from the documentation triggers the warning:

[HttpPost]
public HttpResponseMessage Delete(Guid fileId)
{
    string path = Path.Combine(ConfigurationManager.AppSettings["DownloadPath"], fileId.ToString());
    File.Delete(path);
    return Request.CreateResponse(HttpStatusCode.OK);
}

Is the only way prevent this warning hard coding the path or manual suppression?

ejohn20 commented 7 years ago

Correct, the rule in its current state is more of a dangerous function. We'll add this to the list of rules to improve the taint analysis within the new code block once this is ready.

FYI - You can suppress the rule by right clicking the warning and adding it to a suppression file.

ericwscott commented 7 years ago

Thanks for the explanation. I'll leave it up to you if you want to close the issue or use it to track the enhancement you were discussing.

ejohn20 commented 7 years ago

No problem. Thanks for the feedback, there are a couple of rules that are similar to this that we can't "fix" in their current state via code changes. This is not ideal. I will leave this issue open so we remember to enhance this rule when the code block analyzer is ready.