SEC0112 false positive

[ericwscott]

Any use of a variable in the File API appears to trigger this warning. The only way I can find to satisfy the analyzer is to use a hard coded string for the file path. Even the secure example code from the documentation triggers the warning:

[HttpPost]
public HttpResponseMessage Delete(Guid fileId)
{
    string path = Path.Combine(ConfigurationManager.AppSettings["DownloadPath"], fileId.ToString());
    File.Delete(path);
    return Request.CreateResponse(HttpStatusCode.OK);
}

Is the only way prevent this warning hard coding the path or manual suppression?

[ejohn20]

Correct, the rule in its current state is more of a dangerous function. We'll add this to the list of rules to improve the taint analysis within the new code block once this is ready.

FYI - You can suppress the rule by right clicking the warning and adding it to a suppression file.

[ericwscott]

Thanks for the explanation. I'll leave it up to you if you want to close the issue or use it to track the enhancement you were discussing.

[ejohn20]

No problem. Thanks for the feedback, there are a couple of rules that are similar to this that we can't "fix" in their current state via code changes. This is not ideal. I will leave this issue open so we remember to enhance this rule when the code block analyzer is ready.