You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have an ASP.NET web service which has a few controllers that interact with the file system. One of the controllers makes an async call to an SQL database and uses the result of that call as a parameter to System.IO calls. Given the async nature of the controller, I have added a CancellationToken parameter to the method, and pass it to the async database call. This eventually results in CA3003 triggering on the System.IO calls that use the string value (a folder path) that is returned from the database.
This seems to be a false positive to me, firstly because in ASP.NET the CancellationToken is injected, not provided from an external source. Additionally, I don't see how a CancellationToken could be used to taint file system operations.
Steps To Reproduce
Hereby a minimal example of a controller method that triggers CA3003 from a CancellationToken:
privateasyncTask<IActionResult>PostV1Async(CancellationTokencancellationToken){stringincrementalDownloadTempPath=await context.GetConfigStringAsync("IncrementalDownloadTempPath", cancellationToken);if(Directory.Exists(incrementalDownloadTempPath)==false)// CA3003 Potential file path injection vulnerability was found where 'bool Directory.Exists(string? path)' in method 'Task<IActionResult> ExampleController.PostV1Async(CancellationToken cancellationToken)' may be tainted by user-controlled data from 'CancellationToken cancellationToken' in method 'Task<IActionResult> ExampleController.PostAsync(string? sessionGUID, CancellationToken cancellationToken)'.{return StatusCode(StatusCodes.Status500InternalServerError,"The IncrementalDownloadTempPath directory does not exist.");}return Ok();}
The above method is truncated; the full method performs additional work, but this minimal example is sufficient to demonstrate the analyzer triggering.
Expected behavior
CA3003 is not triggered from a CancellationToken.
Actual behavior
CA3003 is triggered from a CancellationToken.
The text was updated successfully, but these errors were encountered:
Analyzer
Diagnostic ID: CA3003:
Review code for regex injection vulnerabilitiesAnalyzer source
SDK: Built-in CA analyzers in .NET 5 SDK or later
Version: SDK 8.0.400
Describe the bug
I have an ASP.NET web service which has a few controllers that interact with the file system. One of the controllers makes an async call to an SQL database and uses the result of that call as a parameter to
System.IOcalls. Given the async nature of the controller, I have added aCancellationTokenparameter to the method, and pass it to the async database call. This eventually results in CA3003 triggering on theSystem.IOcalls that use the string value (a folder path) that is returned from the database.This seems to be a false positive to me, firstly because in ASP.NET the
CancellationTokenis injected, not provided from an external source. Additionally, I don't see how aCancellationTokencould be used to taint file system operations.Steps To Reproduce
Hereby a minimal example of a controller method that triggers CA3003 from a CancellationToken:
The above method is truncated; the full method performs additional work, but this minimal example is sufficient to demonstrate the analyzer triggering.
Expected behavior
CA3003 is not triggered from a
CancellationToken.Actual behavior
CA3003 is triggered from a
CancellationToken.The text was updated successfully, but these errors were encountered: