Upload File Issue - Refactor code to not construct the path from tainted, user-controlled data

Question

I'm using a normal code to upload a file but when I use the function move_uploaded_file it shows me the error in the image.

1. Point #1 says: This value can be controlled by the user.
2. Point #2 says: Taint value is propagated
3. Point #3 says: taint value is used to perform a security-sensitive operation

See my code:

if (!empty($_FILES["attachment"]["name"]) || strpos($file_name, '../') !== true) {
  $uploadStatus = 1;
  $files_folder = 'files';
  $target_dir = dirname(__FILE__).'/'.$files_folder.'/';
  $fileName = basename($_FILES["attachment"]["name"]);
  $targetFilePath = $target_dir . $fileName;
  $imageFileType = strtolower(pathinfo($targetFilePath, PATHINFO_EXTENSION));
  if($imageFileType != "jpg" && $imageFileType != "png" && $imageFileType != "jpeg" && $imageFileType != "gif" && $imageFileType != "pdf") {
    $uploadStatus = 0;
    $img_status = 1;
  } else if (move_uploaded_file($_FILES['attachment']['tmp_name'], $targetFilePath)) {
      $uploadedFile = $targetFilePath;
  } else {
      $uploadStatus = 0;
  }
}

Answer 1

This is a false positive. SonarQube wrongly considers $_FILES['attachment']['tmp_name'] as user-controlled data. According to the PHP documentation, $_FILES['userfile']['name'] is user-controlled, but $_FILES['userfile']['tmp_name'] is not.

You can mark this issue as a false positive in SonarQube.

The problem was fixed in SonarQube 8.6.