Do not define env vars from user input

This product is not supported for your selected Datadog site. ().
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

ID: csharp-security/untrusted-env-var

Language: C#

Severity: Error

Category: Security

CWE: 454

Description

No description found

Non-Compliant Code Examples

using System.Diagnostics;

public class Controller { }

public class ExampleController : Controller
{
    public void Example(string name, string value)
    {
        Process proc = new Process();
        proc.StartInfo.FileName = "path/to/executable";
        proc.StartInfo.EnvironmentVariables.Add(name, value); // Noncompliant: name is a variable
        proc.Start();
    }
}

Compliant Code Examples

using System.Diagnostics;
using System.Text.RegularExpressions;

public class Controller { }

public class ExampleController : Controller
{
    public void Example(string value)
    {
        Process proc = new Process();
        proc.StartInfo.FileName = "path/to/executable";
        string pattern = "^*$";
        Match m = Regex.Match(value, pattern);
        if (m.Success) {
            // Name "ENV_VAR" is not in the sensitive list, so value being dynamic is ok here.
            proc.StartInfo.EnvironmentVariables.Add("ENV_VAR", value);
        }
        proc.Start();
    }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Security

Datadog Code Security
PREVIEWING: heston/DOCS-10466