C# FileUpload 不適當的存取

專案的程式需要經過 Micro Focus 掃過,但這個問題(CWE-284: Improper Access Control)我實在找不到方法,我的功能只有簡單的上傳後確認,大部分文件的緩解方法都是權限處理,但具體該如何做呢?

Improper access control weaknesses usually result in logic errors. Developers must carefully manage settings and handling of privileges as well as pay attention to security zones within the application. They should also integrate mechanisms that control privilege separation functionality and think about creating architecture that relies on the least privilege principle.

Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.

fillano iT邦超人 1 級 ‧ 2019-07-16 16:10:04 檢舉
例如原本是透過Web Server直接存取檔案,現在改成透過程式來存取。上傳是「存」,使用資源是「取」,也就是說現在「取」的部份也要經過程式做權限的控管,不能直接透過Web Server下載。你可以想一想這要怎麼做。