When we scanned the code in the fortify security remediation scan tool. we got the below message for the Path Manipulation attack "Attackers are able to control the file system path argument to FileInfo(), which allows them to access or modify otherwise protected files.Allowing user input to control paths used in file system operations could enable an attacker to access or modify otherwise protected system resources."
[RoutePrefix("api/v1/file")]
public class FileController: ApiController
{
[Route("pdf")]
public IHttpActionResult GetPdf(string path = "")
{
var fileInfo = new FileInfo(path);
if (fileInfo.Extension == ".pdf")
{
using (FileStream fs = File.OpenRead(path))
{
response.Content = new StreamContent(fs);
response.Content.Headers.ContentType = new MediaTypeHeaderValue("application/pdf");
}
}
return ResponseMessage(response);
}
}
What are the ways to address the above issue.?