64 lines
1.6 KiB
Plaintext
64 lines
1.6 KiB
Plaintext
=== How to fix it in .NET
|
|
|
|
The following code uses the `find` command and expects the user to enter the
|
|
name of a file to find on the system.
|
|
|
|
It is vulnerable to arguments injection because untrusted data is inserted
|
|
directly into the arguments of a process call without sanitization. +
|
|
The application assumes that incoming data always consists of a specific range
|
|
of characters and ignores that some characters might force the `find` command
|
|
to start a shell.
|
|
|
|
In this particular case, an attacker may remove files in `/some/folder` with the following string:
|
|
|
|
----
|
|
'*' -exec rm -rf {} \;
|
|
----
|
|
|
|
[cols="a"]
|
|
|===
|
|
h| Non-compliant code example
|
|
|
|
|
[source,csharp]
|
|
----
|
|
public class ExampleController : Controller
|
|
{
|
|
public void Run(string args)
|
|
{
|
|
Process p = new Process();
|
|
p.StartInfo.FileName = "/usr/bin/find";
|
|
p.StartInfo.Arguments = "/some/folder -iname " + args; // Noncompliant
|
|
p.Start();
|
|
}
|
|
}
|
|
----
|
|
h| Compliant solution
|
|
|
|
|
[source,csharp]
|
|
----
|
|
public class ExampleController : Controller
|
|
{
|
|
public void Run(string args)
|
|
{
|
|
Process p = new Process();
|
|
p.StartInfo.FileName = "/usr/bin/find";
|
|
p.StartInfo.ArgumentList.Add("/some/folder");
|
|
p.StartInfo.ArgumentList.Add("-iname");
|
|
p.StartInfo.ArgumentList.Add(args);
|
|
p.Start();
|
|
}
|
|
}
|
|
----
|
|
|===
|
|
|
|
=== How does this work?
|
|
|
|
include::../../common/fix/introduction.adoc[]
|
|
|
|
|
|
Here `ArgumentList` takes care of escaping the passed arguments and internally
|
|
creates a single string given to the operating system when `System.Diagnostics.Process.Start()` is
|
|
called.
|
|
|
|
|