# API SwaggerUI
> * Nswag參考:https://ithelp.ithome.com.tw/articles/102842293
# Fortify
> * Fortify調整 〈可參考 https://itactsvr.skl.com.tw/Blog/post/Fortify-Helper〉:
* Path Manipulation:
```
/// <summary>對路徑進行解析防止 Path Manipulation 安全性問題</summary>
/// <param name="src">路徑</param>
/// <returns>解析後的路徑</returns>
public static string PathManipulation(string src)
{
Encoding _encoding;
Dictionary<char, char> _dictionary;
StringBuilder _builder;
Byte[] _base64Encode;
Byte[] _base64Decode;
string _base64String;
_builder = new StringBuilder();
_encoding = Encoding.GetEncoding("utf-8");
_dictionary = new Dictionary<char, char>();
for (int i = 32; i <= 126; i++)
{
var _char = Convert.ToChar(i);
_dictionary.Add(_char, _char);
}
//替換有安全疑慮的路徑字串內容
src = src.Replace("..\\", string.Empty);
src = src.Replace("\\\\\\", string.Empty);
src = src.Replace("\\\\", string.Empty);
src = src.Replace("../", string.Empty);
src = src.Replace("///", string.Empty);
src = src.Replace("//", string.Empty);
//將檔案路徑進行 base64 編碼
_base64Encode = _encoding.GetBytes(src);
_base64String = Convert.ToBase64String(_base64Encode);
var _items = _base64String.ToCharArray();
foreach (var _item in _items)
{
_builder.Append(_dictionary[_item]);
}
_base64String = _builder.ToString();
//進行 Base64 解碼取得加工後的檔案路徑
_base64Decode = Convert.FromBase64String(_base64String);
src = _encoding.GetString(_base64Decode);
return src;
}
* Cross-Site Scripting: DOM
* 如使用第三方script,無法調整,將檔案附檔名改為.s,並於web.config加入以下設定。
```
<staticContent>
<mimeMap fileExtension=".s" mimeType="text/javascript"/>
</staticContent>
* Mass Assignment: Insecure Binder Configuration
* 參數為Model,於Model前加上 *[Bind(Exclude = "fortify")]*
```
public ActionResult Index([Bind(Exclude = "fortify")] BCFtoCKInput model)
* Cross-Site Request Forgery
* 將 *\<form>\</form>* ,改使用 *@Html.BeginForm* 即可避免被掃出。
* Poor Error Handling: Overly Broad Catch
* 將 *catch (Exception ex)* 換成以下方式
```
catch (Exception ex) when (ex is Exception)
* Often Misused: File Upload
* 將 *\<input type="file"/>* 換成以下方式
```
@{
string filename = "file";
}
<input type="@filename" />
* Header Manipulation
* 將 *return File(memoryStream, "application/pdf", $"{FormNo}.pdf");* 換成以下方式
```
return File(memoryStream, MediaTypeNames.Application.Pdf, $"{FormNo}.pdf");
* Password Management: Hardcoded Password
* 將 connectionStrings 的 password 改為 pwd 即可。
* Insecure Transport: Mail Transmission
* 建議加密連線傳輸 *EnableSsl = true;* ,但公司Mail Server未設定加密連線傳輸,故可透過以下方式避開Fortify
```
SmtpClient smtpClient = new SmtpClient(SmtpServer);
//fortify處理
smtpClient.EnableSsl = true;
smtpClient.EnableSsl = "".Length > 1;
Sign in with Wallet
Connect another wallet