ASP.NET
A set of technologies in the .NET Framework for building web applications and XML web services.
3,494 questions
Checkmarx Connection String Injection Issue on Excel File Uplaod
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 18%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
MUHAMMAD AZEEM AZAM
1
Reputation point
I'm using Checkmarx that scans source code and identifies security vulnerabilities within the code
<asp:FileUpload ID="fuXlsWorkflow" runat="server" EnableViewState="true" />
<asp:RegularExpressionValidator ID="RegularExpressionValidator1" runat="server" ErrorMessage="<%$ Resources:Message,ERR_FORMAT%>" ValidationExpression="^([a-zA-Z]|\x20|\x2E|:|\|[0-9])*.(xls|xlsx)$" ControlToValidate="fuXlsWorkflow" />
checkmarx detects a vulnerability on fuXlsWorkflow.FileName
file name is also passed to OLEDB Connection string.
i did tried HtmlEncode, but it didn't worked out.
ASP.NET
C#
C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
10,962 questions
ASP.NET API
ASP.NET API
ASP.NET: A set of technologies in the .NET Framework for building web applications and XML web services.API: A software intermediary that allows two applications to interact with each other.
338 questions
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 4%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EQM%3C/text%3E%3C/svg%3E)
QiYou-MSFT 4,321 Reputation points Microsoft Vendor2022-11-21T09:48:07.343+00:00 Hi @MUHAMMAD AZEEM AZAM ,
Can you provide the code information of the backend? I'm sorry for the front-end code in your issue description, I had a hard time reproducing the issue.Best Regards,
Qi You -
MUHAMMAD AZEEM AZAM 1 Reputation point
2022-11-21T16:49:53.233+00:00 Connection String Injection in Bottom Issues
ole Db Connection String i have is
string Connectionstring = "Provider=Microsoft.ACE.OLEDB.12.0; DataSource="+filepath+filename+"; Extended Properties=\"Excel 12.0 Xml;HDR=YES;IMEX=1\""
Issue With File Name in CheckMarx
Second Issue withBottom File Name with CheckMarx
string filename = Syste.IO.Path.Getfilenamewithoutextension(fuXlsWorkflow.FileName);
-
Viorel 117.6K Reputation points2022-11-21T17:42:38.587+00:00 Probably the original filename is not important. Maybe you can generate any filename (using Path.GetRandomFileName, for example), save the data using fuXlsWorkflow.SaveAs, then use the new filename in your connection string.
Sign in to comment
Sign in to answer