Reputation: 491
OS Command Injection from Process.Start
My application is using Process.Start for opening another application to run. VeraCode [a security software scanning tool] reported this command as OS Command Injection Vulnerable. I would like to get some comment. I have found a lot of information on the web regarding to filter the input or to constraint the program name; however, I am curious to see if there's any other alternatives of using Process.Start?
Edit: Thanks for the comment, here is one of the sample, and yes, it is getting input from users:
public static void Run(string fileName, string arguments, bool waitForExit)
{
Process p = Process.Start(fileName, arguments);
if (waitForExit)
p.WaitForExit();
}
Thanks!
Upvotes: 5
Views: 8921
Answers (3)
Reputation: 1870
The Process class is nothing more than a managed wrapper class for the native CreateProcessA function and its variants, like CreateProcessAsUserA – see Process’s source code.
I don't think that there is a way to start a process other than this, because every other solution would also call the WinAPI function. This function (or its overloads and variations) is the only way to start a process in Windows.
Personally, I have not heard anything about a problem with Process.Start.
Upvotes: 3
Reputation: 39
This is an OS Command Injection vulnerability, because you have not filtered out the users input from the function and directly appended to the Process.Start(). Due to this, the tool has marked it as a vulnerability.
To avoid this issue, you should use a regex method to filter out the bad characters depending on what that function is going to do when it gets run.
For example, your function is created only to check from this path c:/users/docs.txt
then that function should not get executed for c:/admin/docs.txt.
This is how you need to validate before sending the user data directly into the process.
For more information, refer to these awesome links:
[1] Potential command injection with Process.Start.
[2] CWE 78: OS Command Injection.
Upvotes: 3
Reputation: 379
I ran into this as well. You need to set the UseShellExecute property to false. Then Veracode will not consider it a vulnerability.
using (WinProcess myProcess = new WinProcess())
{
myProcess.StartInfo.FileName = "notepad.exe";
myProcess.StartInfo.Arguments = Path.GetFileName(fullPath);
myProcess.StartInfo.UseShellExecute = false;
myProcess.StartInfo.WorkingDirectory = Path.GetDirectoryName(fullPath);
myProcess.StartInfo.RedirectStandardOutput = false;
myProcess.Start();
}
Upvotes: 1
Related Questions
- Veracode still reports OS command injection issue after I have applied the solution as recommendations from OWAPS and Roslyn Security Guard
- Open a text file in C# programmatically
- running .net console applications programmatically
- Run exe with arguments from c#
- Is there a way to Inject and Execute C# application inside another process?
- OS Command injection
- Starting an executable and passing arguments
- Start a command line including arguments from C#
- Running an executable programmatically .NET
- Inject code into native process