ID: csharp-security/shell-injection
Language: C#
Severity: Warning
Category: Security
CWE: 78
Description
Never build a command to execute manually by concatenating strings. Instead, validate each component of the command to ensure there is no user-input.
Learn More
Non-Compliant Code Examples
public class Sample
{
public void myMethod(string myProgram)
{
Process p = new Process();
p.StartInfo.FileName = "path/to/" + myProgram;
p.Start();
}
}
public class Runner {
public static int Run(string cmd, string args, string input) {
ProcessStartInfo startInfo = new ProcessStartInfo
{
WorkingDirectory = Settings.RootDir,
FileName = cmd,
Arguments = args,
UseShellExecute = false,
RedirectStandardInput = true,
RedirectStandardError = true,
RedirectStandardOutput = true,
};
using (Process process = new Process())
{
process.EnableRaisingEvents = true;
process.StartInfo = startInfo;
process.Start();
}
}
}
Compliant Code Examples
using Microsoft.AspNetCore.Mvc;
using System;
using System.Diagnostics;
using System.IO;
using System.Web;
namespace OwaspBenchmark.Controllers
{
public class Cmdi03Controller : Controller
{
[Route("cmdi-03/BenchmarkTest02611")]
public IActionResult BenchmarkTest02611(string BenchmarkTest02611)
{
string param = BenchmarkTest02611;
if (string.IsNullOrEmpty(param))
{
return Content("getQueryString() couldn't find expected parameter 'BenchmarkTest02611' in query string.");
}
param = HttpUtility.UrlDecode(param);
string bar = DoSomething(param);
string cmd = "";
string a1 = "";
string a2 = "";
string[] args = null;
string osName = System.getProperty("os.name");
if (osName.IndexOf("Windows") != -1)
{
a1 = "cmd.exe";
a2 = "/c";
cmd = "echo ";
//Vulnerability is maintained
args = new string[] { a1, a2, cmd, bar };
}
else
{
a1 = "sh";
a2 = "-c";
cmd = "ls ";
//Vulnerability is maintained
args = new string[] { a1, a2, cmd + bar };
}
string[] argsEnv = { "foo=bar" };
try
{
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = args[0];
psi.Arguments = string.Join(" ", args.Skip(1));
psi.UseShellExecute = false;
psi.RedirectStandardOutput = true;
psi.RedirectStandardError = true;
Process p = Process.Start(psi);
string output = p.StandardOutput.ReadToEnd();
string error = p.StandardError.ReadToEnd();
p.WaitForExit();
return Content("Output:\n" + output + "\nError:\n" + error);
}
catch (Exception e)
{
return Content("Problem executing cmdi - TestCase: " + e.Message);
}
}
private static string DoSomething(string param)
{
ThingInterface thing = ThingFactory.CreateThing();
string bar = thing.DoSomething(param);
return bar;
}
}
public interface ThingInterface
{
string DoSomething(string param);
}
public class ThingFactory
{
public static ThingInterface CreateThing()
{
return new RealThing();
}
}
public class RealThing : ThingInterface
{
public string DoSomething(string param)
{
return param;
}
}
}
Seamless integrations. Try Datadog Code Security
