This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project,
feel free to reach out to us!
PROBAR ESTA REGLA ID: csharp-security/shell-injection
Language: C#
Severity: Warning
Category: Security
CWE : 78
Description Never build a command to execute manually by concatenating strings. Instead, validate each component of the command to ensure there is no user-input.
Learn More Non-Compliant Code Examples public class Sample
{
public void myMethod ( string myProgram )
{
Process p = new Process ();
p . StartInfo . FileName = "path/to/" + myProgram ;
p . Start ();
}
}
public class Runner {
public static int Run ( string cmd , string args , string input ) {
ProcessStartInfo startInfo = new ProcessStartInfo
{
WorkingDirectory = Settings . RootDir ,
FileName = cmd ,
Arguments = args ,
UseShellExecute = false ,
RedirectStandardInput = true ,
RedirectStandardError = true ,
RedirectStandardOutput = true ,
};
using ( Process process = new Process ())
{
process . EnableRaisingEvents = true ;
process . StartInfo = startInfo ;
process . Start ();
}
}
}
Compliant Code Examples using Microsoft.AspNetCore.Mvc ;
using System ;
using System.Diagnostics ;
using System.IO ;
using System.Web ;
namespace OwaspBenchmark.Controllers
{
public class Cmdi03Controller : Controller
{
[Route("cmdi-03/BenchmarkTest02611")]
public IActionResult BenchmarkTest02611 ( string BenchmarkTest02611 )
{
string param = BenchmarkTest02611 ;
if ( string . IsNullOrEmpty ( param ))
{
return Content ( "getQueryString() couldn't find expected parameter 'BenchmarkTest02611' in query string." );
}
param = HttpUtility . UrlDecode ( param );
string bar = DoSomething ( param );
string cmd = "" ;
string a1 = "" ;
string a2 = "" ;
string [] args = null ;
string osName = System . getProperty ( "os.name" );
if ( osName . IndexOf ( "Windows" ) != - 1 )
{
a1 = "cmd.exe" ;
a2 = "/c" ;
cmd = "echo " ;
//Vulnerability is maintained
args = new string [] { a1 , a2 , cmd , bar };
}
else
{
a1 = "sh" ;
a2 = "-c" ;
cmd = "ls " ;
//Vulnerability is maintained
args = new string [] { a1 , a2 , cmd + bar };
}
string [] argsEnv = { "foo=bar" };
try
{
ProcessStartInfo psi = new ProcessStartInfo ();
psi . FileName = args [ 0 ];
psi . Arguments = string . Join ( " " , args . Skip ( 1 ));
psi . UseShellExecute = false ;
psi . RedirectStandardOutput = true ;
psi . RedirectStandardError = true ;
Process p = Process . Start ( psi );
string output = p . StandardOutput . ReadToEnd ();
string error = p . StandardError . ReadToEnd ();
p . WaitForExit ();
return Content ( "Output:\n" + output + "\nError:\n" + error );
}
catch ( Exception e )
{
return Content ( "Problem executing cmdi - TestCase: " + e . Message );
}
}
private static string DoSomething ( string param )
{
ThingInterface thing = ThingFactory . CreateThing ();
string bar = thing . DoSomething ( param );
return bar ;
}
}
public interface ThingInterface
{
string DoSomething ( string param );
}
public class ThingFactory
{
public static ThingInterface CreateThing ()
{
return new RealThing ();
}
}
public class RealThing : ThingInterface
{
public string DoSomething ( string param )
{
return param ;
}
}
}
Integraciones sin problemas. Prueba Datadog Code Security
