-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathSG0001.htm
More file actions
140 lines (114 loc) · 5.04 KB
/
SG0001.htm
File metadata and controls
140 lines (114 loc) · 5.04 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
<!DOCTYPE html>
<html lang="en">
<head>
<title>Potential command injection with Process.Start - Roslyn Security Guard</title>
<meta charset="utf-8">
<link href="css/bootstrap.min.css" media="screen" rel="stylesheet">
<link href="css/bootstrap-theme.min.css" media="screen" rel="stylesheet">
<link href="//fonts.googleapis.com/css?family=Ubuntu:400,500,700,400italic" rel="stylesheet" type="text/css">
<link href="css/font-awesome.min.css" media="screen" rel="stylesheet">
<!-- Custom styles -->
<link href="css/styles.css" media="screen" rel="stylesheet">
<!-- Mobile support -->
<meta content="width=device-width, initial-scale=1" name="viewport">
<meta property="og:locale" content="en_US" />
<meta property="og:type" content="website" />
<meta property="og:title" content="Roslyn Security Guard" />
<meta property="og:description" content="Security Guard is a set of Roslyn analyzers that aim to help security audits on .NET applications." />
<meta property="og:site_name" content="Roslyn Security Guard" />
<meta name="twitter:card" content="summary" />
<meta name="twitter:description" content="Security Guard is a set of Roslyn analyzers that aim to help security audits on .NET applications." />
<meta name="twitter:title" content="Roslyn Security Guard" />
<meta name="keywords" content="security,owasp,csharp,c#,vb,.net,dotnet,asp.net,mvc,scanner,vulnerability,injection" />
<!-- IE 6-8 support of HTML 5 elements -->
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
<![endif]-->
</head>
<body>
<a id="skippy" class="sr-only sr-only-focusable" href="#content"><div class="container"><span class="skiplink-text">Skip to main content</span></div></a>
<header class="navbar navbar-default navbar-fixed-top" id="top" role="banner">
<div class="container">
<div class="navbar-header">
<button class="navbar-toggle collapsed" type="button" data-toggle="collapse" data-target="#vertx-navbar-collapse">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a href="/" class="navbar-brand"><img alt="Security Guard Logo" src="images/logo-small.png"></a>
</div>
<nav class="collapse navbar-collapse" id="vertx-navbar-collapse">
<ul class="nav navbar-nav navbar-right">
<li><a href="index.htm">Download</a></li>
<li><a href="#comingsoon">Tutorial</a></li>
<li><a href="rules.htm">Rules</a></li>
</ul>
</nav>
</div>
</header>
<div class="index-header jumbotron jumbotron-ad hidden-print">
<div class="container">
<h2>Potential command injection with Process.Start</h2>
<a href="/rules.htm" class="btn-info btn-sm" role="button">Back to rules list</a>
</div>
</div>
<section id="rule" class="rule-single">
<div class="container highlight highlight-left">
<p>
The dynamic value passed to the command execution should be validated.
</p>
<h3>Risk</h3>
<p>
If a malicious user is able to controlled either the command FileName or Arguments, he might be able
to execute unwanted commands or add unwanted argument.
This behavior would not be possible if input parameter are validate against a whitelist of characters.
</p>
<h3>Vulnerable Code</h3>
<pre>
Process p = new Process();
p.StartInfo.FileName = "exportLegacy.exe";
p.StartInfo.Arguments = " -user " + input + " -role user";
p.Start();
</pre>
<h3>Solution</h3>
<pre>
Regex rgx = new Regex(@"^[a-zA-Z0-9]+$");
if(rgx.IsMatch(input)) {
Process p = new Process();
p.StartInfo.FileName = "exportLegacy.exe";
p.StartInfo.Arguments = " -user " + input + " -role user";
p.Start();
}
</pre>
<h3>References</h3>
<p>
<a href="https://www.owasp.org/index.php/Command_Injection">OWASP: Command Injection</a><br/>
<a href="https://www.owasp.org/index.php/Top_10_2013-A1-Injection">OWASP: Top 10 2013-A1-Injection</a><br/>
<a href="http://cwe.mitre.org/data/definitions/78.html">CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')</a>
</p>
</div>
</section>
<br/><br/>
<footer>
<div class="highlight-gray">
<div class="container footer text-center">
<p>.NET Security Guard is open source licensed under the <a href="https://www.gnu.org/licenses/lgpl-3.0.en.html">GNU Lesser General Public License 3.0 (LGPL)</a>.</p>
</div>
</div>
</footer>
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
<script src="js/bootstrap.min.js"></script>
<!-- Google Analytics -->
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-90570539-1', 'auto');
ga('send', 'pageview');
</script>
</body>
</html>