Maui Essentials MAPT M02:2024 – INSECURE FILE PROVIDER PATH SETTING

[danardelean]

Description

The microsoft_maui_essentials_fileprovider_file_paths.xml file is identified as a potential security vulnerability during a Mobile Application Penetration Test.
The primary concern lies in the following XML section:

<paths>
<external-path name=“external_files” path=“.” />
<cache-path name=“internal_cache” path=“.” />
<external-cache-path name=“external_cache” path=“.” />
</paths>

The issue arises from the exposure of the “.” path, which allows access to the entire cache directory. Even if the Exported attribute is set to false and the GrantUriPermissions attribute is set to true, this configuration does not justify the exposure of the “.” path.

For instance, the MediaPicker.android.cs class should not utilize the root directory:

var tmpFile = FileSystemUtils.GetTemporaryFile(Application.Context.CacheDir, fileName);

Instead, a subfolder, such as “MediaPicker”, should be used. This modification allows the fileProvider to restrict access to the cache directory to the “MediaPicker” subfolder, thereby minimizing the potential impact of a security breach.

Public API Changes

Do not use the Application.Context.CacheDir, or any other app folder, directly if it is not necessary and make the fileProvider file more granular

Intended Use-Case

Improve security of the applications generated with .NET MAUI

[jfversluis]

Is this on .NET 9? We changed some things for .NET 10, do you still see the same results there?

[dotnet-policy-service]

Hi @@danardelean. We have added the "s/needs-info" label to this issue, which indicates that we have an open question for you before we can take further action. This issue will be closed automatically in 7 days if we do not hear back from you by then - please feel free to re-open it if you come back to this issue after that time.