Do not define env vars from user input

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: csharp-security/untrusted-env-var

Language: C#

Severity: Error

Category: Security

CWE: 454

Description

No description found

Non-Compliant Code Examples

using System.Diagnostics;

public class Controller { }

public class ExampleController : Controller
{
    public void Example(string name, string value)
    {
        Process proc = new Process();
        proc.StartInfo.FileName = "path/to/executable";
        proc.StartInfo.EnvironmentVariables.Add(name, value); // Noncompliant: name is a variable
        proc.Start();
    }
}

Compliant Code Examples

using System.Diagnostics;
using System.Text.RegularExpressions;

public class Controller { }

public class ExampleController : Controller
{
    public void Example(string value)
    {
        Process proc = new Process();
        proc.StartInfo.FileName = "path/to/executable";
        string pattern = "^*$";
        Match m = Regex.Match(value, pattern);
        if (m.Success) {
            // Name "ENV_VAR" is not in the sensitive list, so value being dynamic is ok here.
            proc.StartInfo.EnvironmentVariables.Add("ENV_VAR", value);
        }
        proc.Start();
    }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Security

Datadog Code Security
PREVIEWING: aleksandr.pasechnik/svls-6807-lambda-fips