问题
Current code in my project is shown below and Veracode reports there is an OS command injection
filename = Regex.Replace(filename, "[^a-zA-Z0-9_]", "_") & ".svg"
ProcessStartInfo startInfo = default(ProcessStartInfo);
Process pStart = new Process();
startInfo = new ProcessStartInfo(myExecutedFilePath, "\"" + filename + "\" --export-pdf=\"" + filename + "\""); **//OS command injection raises at this line**
pStart.StartInfo = startInfo;
pStart.Start();
pStart.WaitForExit();
So, I research the solution to solve this issue from OWASP and Roslyn Security Guard.
- OWASP post: https://www.owasp.org/index.php/OS_Command_Injection_Defense_Cheat_Sheet
- Roslyn Security Guard post: https://dotnet-security-guard.github.io/SG0001.htm
And here is my code after modifying based on that posts.
filename = Regex.Replace(filename, "[^a-zA-Z0-9_]", "_") & ".svg"
ProcessStartInfo startInfo = default(ProcessStartInfo);
Process pStart = new Process();
startInfo = new ProcessStartInfo();
startInfo.FileName = myExecutedFilePath;
startInfo.Arguments = "\"" + filename + "\" --export-pdf=\"" + filename + "\""; **//Veracode still reports the issue at this line**
pStart.StartInfo = startInfo;
pStart.Start();
pStart.WaitForExit();
BUT, Veracode still reports OS command injection.
So my concerns here are:
Did I apply the correct solution to solve OS command injection in this case?
Or, Should I propose mitigation for it?
回答1:
I have received the answer from Veracode.
"You are right that separating the file path and arguments in the ProcessStartInfo object is a good beginning and that validating the filename to only include alphanumeric characters should also help.
The likely reason the static engine is still reporting this as a flaw is that Veracode doesn't recognize any cleansing functions for .NET for CWE 78. Because of this, any time we see user input being passed to a function that represents a command "sink" we will flag as CWE 78. We also don't evaluate the accuracy/efficacy of regex strings, so even if the regex were completely accurate we would still flag the flaw.
Two recommendations:
- Consider scheduling a consultation if you want one of our application security consultants to help validate that your changes are correct in context.
- Once you're 100% comfortable that your fix addresses the flaw, I recommend documenting this in a mitigation. "
回答2:
I suppose filename is user input.
This is technically OS command injection, but you can argue it's "mitigated by design" in Veracode terms, because the filename is strongly validated (T: M1, S: Only letters and numbers are valid characters for the filename, others will be replaced).
However, this raises questions of another vulnerability, external control of filename or path (aka. path injection). While validation in your code will mitigate most of it, consider edge cases like an already existing file, or a filename consisting of a null byte (\0), or an empty filename.
For example your application could invoke this pdf export executable to offer the resulting pdf for the user to download. If called with a filename that already exists, the new pdf may not be created, but the existing one could be offered for download wihout authorization. This is just an example, similar problems may arise right now, or in the future as your code evolves.
来源:https://stackoverflow.com/questions/51490167/veracode-still-reports-os-command-injection-issue-after-i-have-applied-the-solut