Do not define env vars from user input

This product is not supported for your selected Datadog site. ().
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Metadata

ID: csharp-security/untrusted-env-var

Language: C#

Severity: Error

Category: Security

CWE: 454

Description

No description found

Non-Compliant Code Examples

using System.Diagnostics;

public class Controller { }

public class ExampleController : Controller
{
    public void Example(string name, string value)
    {
        Process proc = new Process();
        proc.StartInfo.FileName = "path/to/executable";
        proc.StartInfo.EnvironmentVariables.Add(name, value); // Noncompliant: name is a variable
        proc.Start();
    }
}

Compliant Code Examples

using System.Diagnostics;
using System.Text.RegularExpressions;

public class Controller { }

public class ExampleController : Controller
{
    public void Example(string value)
    {
        Process proc = new Process();
        proc.StartInfo.FileName = "path/to/executable";
        string pattern = "^*$";
        Match m = Regex.Match(value, pattern);
        if (m.Success) {
            // Name "ENV_VAR" is not in the sensitive list, so value being dynamic is ok here.
            proc.StartInfo.EnvironmentVariables.Add("ENV_VAR", value);
        }
        proc.Start();
    }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

シームレスな統合。 Datadog Code Security をお試しください

Datadog Code Security