csharp.lang.security.injections.os-command.os-command-injection

profile photo of returntocorpreturntocorp
Author
5,563
Download Count*

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Run Locally

Run in CI

Defintion

rules:
  - id: os-command-injection
    severity: ERROR
    languages:
      - csharp
    metadata:
      cwe:
        - "CWE-78: Improper Neutralization of Special Elements used in an OS
          Command ('OS Command Injection')"
      owasp:
        - A01:2017 - Injection
        - A03:2021 - Injection
      references:
        - https://owasp.org/www-community/attacks/Command_Injection
      category: security
      technology:
        - .net
      confidence: LOW
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    message: The software constructs all or part of an OS command using
      externally-influenced input from an upstream component, but it does not
      neutralize or incorrectly neutralizes special elements that could modify
      the intended OS command when it is sent to a downstream component.
    patterns:
      - pattern-inside: |
          using System.Diagnostics;
          ...
      - pattern-inside: |
          public $T $F(..., $ARG, ...)
          {
            ...
          }
      - pattern-either:
          - patterns:
              - pattern: |
                  Process.Start($ARG, ...);
              - focus-metavariable: $ARG
          - patterns:
              - pattern-inside: |
                  Process $PROC = new Process();
                  ...
              - pattern-either:
                  - pattern-inside: |
                      $PROC.StartInfo.FileName = $ARG;
                      ...
                  - pattern-inside: |
                      $PROC.StartInfo.Arguments = <... $ARG ...>;
                      ...
              - pattern: |
                  $PROC.Start();
          - patterns:
              - patterns:
                  - pattern-inside: |
                      ProcessStartInfo $PSINFO = new ProcessStartInfo()
                      {
                        ...
                      };
                      ...
                  - pattern-either:
                      - pattern-inside: |
                          FileName = $ARG;
                          ...
                      - pattern-inside: |
                          Arguments = <... $ARG ...>;
                          ...
              - pattern: |
                  Process.Start($PSINFO);
              - focus-metavariable: $PSINFO

Examples

os-command.cs

using System.Diagnostics;

namespace Injections
{
    public class OsCommandInjection
    {
        public void RunOsCommand(string command)
        {
            // ruleid: os-command-injection
            var process = Process.Start(command);
        }

        public void RunOsCommand(string command)
        {
            // ok: os-command-injection
            var process = Process.Start("constant");
        }


        public void RunOsCommandWithArgs(string command, string arguments)
        {
            // ruleid: os-command-injection
            var process = Process.Start(command, arguments);
        }

        public void RunOsCommandWithArgs(string command, string arguments)
        {
            // ok: os-command-injection
            var process = Process.Start("constant", "constant");
        }


        public void RunOsCommandWithProcessParam(string command)
        {
            Process process = new Process();

            process.StartInfo.FileName = command;
            // ruleid: os-command-injection
            process.Start();
        }

        public void RunOsCommandWithProcessParam(string command)
        {
            Process process = new Process();

            process.StartInfo.FileName = "constant";
            // ok: os-command-injection
            process.Start();
        }


        public void RunOsCommandAndArgsWithProcessParam(string command, string arguments)
        {
            Process process = new Process();

            process.StartInfo.FileName = command;
            process.StartInfo.Arguments = arguments;
            // ruleid: os-command-injection
            process.Start();
        }

        public void RunOsCommandAndArgsWithProcessParam(string command, string arguments)
        {
            Process process = new Process();

            process.StartInfo.FileName = "constant";
            process.StartInfo.Arguments = "constant";
            // ok: os-command-injection
            process.Start();
        }


        public void RunOsCommandWithStartInfo(string command)
        {
            ProcessStartInfo processStartInfo = new ProcessStartInfo()
            {
                FileName = command
            };

            // ruleid: os-command-injection
            var process = Process.Start(processStartInfo);
        }

        public void RunOsCommandWithStartInfo(string command)
        {
            ProcessStartInfo processStartInfo = new ProcessStartInfo()
            {
                FileName = "constant"
            };

            // ok: os-command-injection
            var process = Process.Start(processStartInfo);
        }


        public void RunConstantAppWithArgs(string args)
        {
            ProcessStartInfo processStartInfo = new ProcessStartInfo()
            {
                FileName = "constant",
                Arguments = args
            };

            // ruleid: os-command-injection
            var process = Process.Start(processStartInfo);
        }

        public void RunConstantAppWithArgs(string args)
        {
            ProcessStartInfo processStartInfo = new ProcessStartInfo()
            {
                FileName = "constant",
                Arguments = "constant"
            };

            // ok: os-command-injection
            var process = Process.Start(processStartInfo);
        }
    }
}