Do not define env vars from user input

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: csharp-security/untrusted-env-var

Language: C#

Severity: Error

Category: Security

CWE: 454

Description

No description found

Non-Compliant Code Examples

using System.Diagnostics;

public class Controller { }

public class ExampleController : Controller
{
    public void Example(string name, string value)
    {
        Process proc = new Process();
        proc.StartInfo.FileName = "path/to/executable";
        proc.StartInfo.EnvironmentVariables.Add(name, value); // Noncompliant: name is a variable
        proc.Start();
    }
}

Compliant Code Examples

using System.Diagnostics;
using System.Text.RegularExpressions;

public class Controller { }

public class ExampleController : Controller
{
    public void Example(string value)
    {
        Process proc = new Process();
        proc.StartInfo.FileName = "path/to/executable";
        string pattern = "^*$";
        Match m = Regex.Match(value, pattern);
        if (m.Success) {
            // Name "ENV_VAR" is not in the sensitive list, so value being dynamic is ok here.
            proc.StartInfo.EnvironmentVariables.Add("ENV_VAR", value);
        }
        proc.Start();
    }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Integraciones sin problemas. Prueba Datadog Code Security

Datadog Code Security