From 0c9218e4418dbb5dde90f8f8d9a11c272fbb1b11 Mon Sep 17 00:00:00 2001
From: sivakumar <93644655+sivakumars3442@users.noreply.github.com>
Date: Wed, 20 Dec 2023 17:57:20 +0530
Subject: [PATCH] Resolved security issue in FTP service provider.

---
 Models/FTPFileProvider.cs | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/Models/FTPFileProvider.cs b/Models/FTPFileProvider.cs
index ff657ba..79dab9f 100644
--- a/Models/FTPFileProvider.cs
+++ b/Models/FTPFileProvider.cs
@@ -1184,6 +1184,10 @@ protected void UploadFile(IFormFile file, string fileName)
         protected FileStreamResult DownloadFile(string fullPath, string folderPath)
         {
             string tempPath = this.GetTempFilePath(fullPath, folderPath);
+            if (Path.GetFullPath(tempPath) != Path.GetDirectoryName(tempPath) + Path.DirectorySeparatorChar + Path.GetFileName(tempPath))
+            {
+                throw new UnauthorizedAccessException("Access denied for Directory-traversal");
+            }
             FileStream fileStreamInput = new FileStream(tempPath, FileMode.Open, FileAccess.Read);
             FileStreamResult fileStreamResult = new FileStreamResult(fileStreamInput, "APPLICATION/octet-stream");
             return fileStreamResult;
@@ -1200,6 +1204,10 @@ protected void CopyFile(string fileName, string tempPath)
         {
             FtpWebResponse response = this.CreateResponse(fileName, WebRequestMethods.Ftp.DownloadFile);
             byte[] buffer = this.ConvertByte(response.GetResponseStream());
+            if (Path.GetFullPath(tempPath) != Path.GetDirectoryName(tempPath) + Path.DirectorySeparatorChar + Path.GetFileName(tempPath))
+            {
+                throw new UnauthorizedAccessException("Access denied for Directory-traversal");
+            }
             using (Stream file = File.OpenWrite(tempPath))
             {
                 file.Write(buffer, 0, buffer.Length);