csharp.lang.security.injections.os-command.os-command-injection
semgrepAuthor
5,563
Download Count*
License
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Run Locally
Run in CI
Defintion
rules:
- id: os-command-injection
severity: ERROR
languages:
- csharp
metadata:
cwe:
- "CWE-78: Improper Neutralization of Special Elements used in an OS
Command ('OS Command Injection')"
owasp:
- A01:2017 - Injection
- A03:2021 - Injection
references:
- https://owasp.org/www-community/attacks/Command_Injection
category: security
technology:
- .net
confidence: LOW
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Command Injection
message: The software constructs all or part of an OS command using
externally-influenced input from an upstream component, but it does not
neutralize or incorrectly neutralizes special elements that could modify
the intended OS command when it is sent to a downstream component.
patterns:
- pattern-inside: |
using System.Diagnostics;
...
- pattern-inside: |
public $T $F(..., $ARG, ...)
{
...
}
- pattern-either:
- patterns:
- pattern: |
Process.Start($ARG, ...);
- focus-metavariable: $ARG
- patterns:
- pattern-inside: |
Process $PROC = new Process();
...
- pattern-either:
- pattern-inside: |
$PROC.StartInfo.FileName = $ARG;
...
- pattern-inside: |
$PROC.StartInfo.Arguments = <... $ARG ...>;
...
- pattern: |
$PROC.Start();
- patterns:
- patterns:
- pattern-inside: |
ProcessStartInfo $PSINFO = new ProcessStartInfo()
{
...
};
...
- pattern-either:
- pattern-inside: |
FileName = $ARG;
...
- pattern-inside: |
Arguments = <... $ARG ...>;
...
- pattern: |
Process.Start($PSINFO);
- focus-metavariable: $PSINFO
- patterns:
- pattern-inside: |
Process $PROC = new Process()
{
StartInfo = new ProcessStartInfo()
{
...
}
};
...
- pattern-either:
- pattern-inside: |
FileName = $ARG;
...
- pattern-inside: |
Arguments = $ARG;
...
- pattern: |
$PROC.Start();
Examples
os-command.cs
using System.Diagnostics;
namespace Injections
{
public class OsCommandInjection
{
public void RunOsCommand(string command)
{
// ruleid: os-command-injection
var process = Process.Start(command);
}
public void RunOsCommand(string command)
{
// ok: os-command-injection
var process = Process.Start("constant");
}
public void RunOsCommandWithArgs(string command, string arguments)
{
// ruleid: os-command-injection
var process = Process.Start(command, arguments);
}
public void RunOsCommandWithArgs(string command, string arguments)
{
// ok: os-command-injection
var process = Process.Start("constant", "constant");
}
public void RunOsCommandWithProcessParam(string command)
{
Process process = new Process();
process.StartInfo.FileName = command;
// ruleid: os-command-injection
process.Start();
}
public void RunOsCommandWithProcessParam(string command)
{
Process process = new Process();
process.StartInfo.FileName = "constant";
// ok: os-command-injection
process.Start();
}
public void RunOsCommandAndArgsWithProcessParam(string command, string arguments)
{
Process process = new Process();
process.StartInfo.FileName = command;
process.StartInfo.Arguments = arguments;
// ruleid: os-command-injection
process.Start();
}
public void RunOsCommandAndArgsWithProcessParam(string command, string arguments)
{
Process process = new Process();
process.StartInfo.FileName = "constant";
process.StartInfo.Arguments = "constant";
// ok: os-command-injection
process.Start();
}
public void RunOsCommandWithStartInfo(string command)
{
ProcessStartInfo processStartInfo = new ProcessStartInfo()
{
FileName = command
};
// ruleid: os-command-injection
var process = Process.Start(processStartInfo);
}
public void RunOsCommandWithStartInfo(string command)
{
ProcessStartInfo processStartInfo = new ProcessStartInfo()
{
FileName = "constant"
};
// ok: os-command-injection
var process = Process.Start(processStartInfo);
}
public void RunConstantAppWithArgs(string args)
{
ProcessStartInfo processStartInfo = new ProcessStartInfo()
{
FileName = "constant",
Arguments = args
};
// ruleid: os-command-injection
var process = Process.Start(processStartInfo);
}
public void RunConstantAppWithArgs(string args)
{
ProcessStartInfo processStartInfo = new ProcessStartInfo()
{
FileName = "constant",
Arguments = "constant"
};
// ok: os-command-injection
var process = Process.Start(processStartInfo);
}
public void RunOsCommandAndArgsWithProcessParam(string command, string arguments)
{
Process process = new Process
{
StartInfo = new ProcessStartInfo
{
FileName = command,
Arguments = args
}
};
// ruleid: os-command-injection
process.Start();
}
public void RunOsCommandAndArgsWithProcessParam(string command, string arguments)
{
Process process = new Process
{
StartInfo = new ProcessStartInfo
{
FileName = "constant",
Arguments = arguments
}
};
// ruleid: os-command-injection
process.Start();
}
public void RunOsCommandAndArgsWithProcessParam(string command, string arguments)
{
Process process = new Process
{
StartInfo = new ProcessStartInfo
{
FileName = command,
Arguments = "constant"
}
};
// ruleid: os-command-injection
process.Start();
}
public void RunOsCommandAndArgsWithProcessParam(string command, string arguments)
{
Process process = new Process
{
StartInfo = new ProcessStartInfo
{
FileName = "constant",
Arguments = "constant"
}
};
// ok: os-command-injection
process.Start();
}
}
}
Short Link: https://sg.run/Ze6p