ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6547/rationale.adoc

10 lines
672 B
Plaintext
Raw Permalink Normal View History

Create rule S6547(C#): Environment variables should not be defined from untrusted input (#2875) You can preview this rule [here](https://sonarsource.github.io/rspec/#/rspec/S6547/csharp) (updated a few minutes after each push). ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: daniel-teuchert-sonarsource <daniel-teuchert-sonarsource@users.noreply.github.com> Co-authored-by: Daniel Teuchert <daniel.teuchert@sonarsource.com> Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com> Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com>
2023-08-17 12:58:46 +02:00
Environment variable injection occurs in an application when the application receives
data from a user or a third-party service and, without sanitizing it first, does the following:
* Creates an environment variable based on the external data.
* Inserts the external data into certain sensitive environment variables, such as `PATH` or `LD_PRELOAD`.
If an application uses environment variables that are vulnerable to injection, it is exposed
to a variety of attacks that aim to exploit supposedly safe environment variables, such as `PATH`.
A user with malicious intent carefully performs actions aimed at modifying or adding environment variables to profit from it.
Reference in New Issue Copy Permalink