16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
53 lines
1.3 KiB
Plaintext
53 lines
1.3 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
----
|
|
public void SensitiveExample() {
|
|
String cmd="file.exe";
|
|
var startInfo = new ProcessStartInfo();
|
|
startInfo.FileName = cmd; // Sensitive: file.exe will be search in PATH directories
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
[source,csharp]
|
|
----
|
|
public void CompliantExample() {
|
|
String cmd="/usr/bin/file.exe";
|
|
var startInfo = new ProcessStartInfo();
|
|
startInfo.FileName = cmd; // Compliant
|
|
}
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 16 Oct 2018, 11:27:12 Nicolas Harraudeau wrote:
|
|
*Implementation details*
|
|
|
|
The example shows two ways of setting ``++ProcessStartInfo.FileName++``, either directly or via the ``++StartInfo++`` attribute of a newly created ``++Process++``. From the analysis point of view this is the same as ``++Process.StartInfo++`` is a ``++ProcessStartInfo++``.
|
|
|
|
=== on 9 May 2019, 15:11:54 Nicolas Harraudeau wrote:
|
|
This rule is deprecated for C# because the taint analysis engine already covers command injection (RSPEC-2076).
|
|
|
|
include::../comments-and-links.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|