Security 带有checkmarx的CakePhp 3文件操纵漏洞
当我通过checkmarx运行我的应用程序时,我不断得到一份文件操作和文件披露报告。报告指出: 通过第67行的文件src/Controller/UploadsController.php中的外接程序获得的输入用于确定第67行的文件src/Controller/UploadsController.php中的外接程序要写入的文件的位置,可能允许攻击者更改或损坏该文件的内容,或创建一个新文件 代码段: 这是我一直在尝试做的,但我一直在报告中遇到同样的问题。我还能做些什么来绕过这个问题?欢迎提出想法/解决方案Security 带有checkmarx的CakePhp 3文件操纵漏洞,security,file-upload,cakephp-3.x,checkmarx,Security,File Upload,Cakephp 3.x,Checkmarx,当我通过checkmarx运行我的应用程序时,我不断得到一份文件操作和文件披露报告。报告指出: 通过第67行的文件src/Controller/UploadsController.php中的外接程序获得的输入用于确定第67行的文件src/Controller/UploadsController.php中的外接程序要写入的文件的位置,可能允许攻击者更改或损坏该文件的内容,或创建一个新文件 代码段: 这是我一直在尝试做的,但我一直在报告中遇到同样的问题。我还能做些什么来绕过这个问题?欢迎提出想法/解
公共函数添加(){
$upload=$this->Uploads->newEntity();
if(escapeshellcmd(escapeshellarg($this->request->is('post'))){
$args=数组(
“tmp\u name”=>过滤器\u清理\u URL,
'error'=>过滤器\u验证\u INT,
'name'=>过滤器\u清理\u编码,
'type'=>过滤器\u消毒\u特殊\u字符,
'大小'=>过滤器\u清理\u编码,
);
$filtered=filter\u var\u数组($this->request->getData('bulk\u name'),$args);
如果(!空($filtered)){
$file=$this->sanitizeData($filtered);
如果(isset($file['flashMessage'])){
$flashMessage=$file['flashMessage'];
$this->Flash->error($flashMessage,['key'=>'error']);
}否则{
$uploadDirectory=getcwd().DS.'files'.DS;
$fileName=$file['name'];
$upload=$this->Uploads->patchEntity($upload,$this->request->getData());
$upload->file_name=$fileName;
$tmp_name=$file['tmp_name'];
$destination=$uploadDirectory.$fileName;
if(escapeshellcmd(escapeshellarg(移动上传文件($tmp\U名称,$destination))){
$datasource=ConnectionManager::get(“默认”);
$datasource->begin();
$saveUpload=$this->Uploads->save($upload);
如果($saveUpload){
$session=$this->getRequest()->getSession();
$clientID=$session->read('Auth.User.client_id');
$userID=$session->read('Auth.User.id');
$lastSavedId=$saveUpload->id;
$baseName=baseName($fileName);
$uploadedCSVFile=$uploadDirectory.$baseName;
$csvFile=fopen($uploadedCSVFile,“r”);
$totalAmount=0;
while(($row=fgetcsv($csvFile))!==false){
如果($row[1]<1)继续;
$totalAmount+=trim($row[1]);
}
fclose($csvFile);
$uploadEntry=$this->Uploads->UploadEntries->newEntity();
$entryData=array();
$entryData['upload_id']=$lastSavedId;
$entryData['client_id']=$clientID;
$entryData['user\u id']=$userID;
$entryData['amount']=$totalAmount;
$entryData['status']=0;
$uploadEntry=$this->Uploads->UploadEntries->patchEntity($uploadEntry,$entryData);
$saveUploadEntries=$this->Uploads->UploadEntries->save($uploadEntry);
如果($saveUploadEntries){
$datasource->commit();
$this->Flash->success('上传已保存',['key'=>'success']);
返回$this->redirect('/');
}
$this->Flash->错误(_u('无法保存上载。请重试');
}
$this->Flash->错误(_u('无法保存上载。请重试');
}
$this->Flash->错误(_u('无法保存上载。请重试');
}
}否则{
$this->Flash->error(uuu('Empty Upload',['key'=>'error']);
}
}
$this->set(压缩(“上载”);
}
公共功能净化数据($input){
$args=数组(
“tmp\u name”=>过滤器\u清理\u URL,
'error'=>过滤器\u验证\u INT,
'name'=>过滤器\u清理\u编码,
'type'=>过滤器\u消毒\u特殊\u字符,
'大小'=>过滤器\u清理\u编码,
);
$filtered=filter\u var\u数组($input,$args);
$fileExtensionsAllowed=['csv'];//这些将是唯一允许的文件扩展名
$mimes=array('application/vnd.ms excel','text/plain','text/csv','text/tsv');
$fileName=$filtered['name'];
$fileSize=$filtered['size'];
$fileTmpName=$filtered['tmp_name'];
$fileType=$filtered['type'];
$fileError=$filtered['error'];
$file=explode('.',$fileName);//拆分扩展名为的文件名
$ext=end($file);//获取扩展名
$fileExtension=strtolower($ext);//如果将扩展名更改为小写
$output=array();
如果(!可读($fileTmpName)){
$output['flashMessage']='文件不可读';
}elseif(!in_数组($fileExtension,$fileExtensionsAllowed)&&!in_数组($fileType,$mimes)){
$output['flashMessage']=“不支持的文件类型”;
}elseif($fileSize>50000){
$output['flashMessage']='文件太大,无法上载';
}elseif(!$fileError==0){
$output['flashMessag
....
78. $filtered = filter_var_array($this->request->getData('bulk_name'), $args);
....
94. if(escapeshellcmd(escapeshellarg(move_uploaded_file($tmp_name, $destination)))) {
....
150. public function sanitizeData($input){
....
211. public function sanitize($string, $forceLowerCase = true, $anal = false) {