Command Injection

The method StartProcess() in WindowsApiManager.cs calls set_Arguments() to execute a command. This call might allow an attacker to inject malicious commands.

Getting the above issue while I am trying to pass file name and arguments to the start process.

I have tried with reguler expressions and path manipulation techniques but the fortify issue is still coming. If I hard code the file name and arguments to start the process then fortify issue is not coming

Please help me to resolve this.

Parents
  • Below is my code

    var cProcess = new Process
    {
    StartInfo =
    {
    FileName = sr, Arguments = arguments, WindowStyle = ProcessWindowStyle.Minimized,
    UseShellExecute = false
    }
    };
    cProcess.Start();
    return cProcess;

    And I am getting below Fortify error

    Command Injection
    (Input Validation and Representation, Semantic)

    The method StartProcess() in WindowsApiManager.cs calls set_Arguments() to execute a command. This call might allow an attacker to inject malicious commands.

Reply
  • Below is my code

    var cProcess = new Process
    {
    StartInfo =
    {
    FileName = sr, Arguments = arguments, WindowStyle = ProcessWindowStyle.Minimized,
    UseShellExecute = false
    }
    };
    cProcess.Start();
    return cProcess;

    And I am getting below Fortify error

    Command Injection
    (Input Validation and Representation, Semantic)

    The method StartProcess() in WindowsApiManager.cs calls set_Arguments() to execute a command. This call might allow an attacker to inject malicious commands.

Children
No Data