在我将解决方案作为OWAPS和Roslyn Security Guard的建议应用后,Veracode仍然报告OS命令注入问题 [英] Veracode still reports OS command injection issue after I have applied the solution as recommendations from OWAPS and Roslyn Security Guard
问题描述
我的项目中的当前代码如下所示,Veracode报告有操作系统命令注入
Current code in my project is shown below and Veracode reports there is an OS command injection
filename = Regex.Replace(filename, "[^a-zA-Z0-9_]", "_") & ".svg"
ProcessStartInfo startInfo = default(ProcessStartInfo);
Process pStart = new Process();
startInfo = new ProcessStartInfo(myExecutedFilePath, "\"" + filename + "\" --export-pdf=\"" + filename + "\""); **//OS command injection raises at this line**
pStart.StartInfo = startInfo;
pStart.Start();
pStart.WaitForExit();
因此,我研究了OWASP和Roslyn Security Guard解决该问题的解决方案.
So, I research the solution to solve this issue from OWASP and Roslyn Security Guard.
- OWASP帖子: https://www.owasp.org/index.php/OS_Command_Injection_Defense_Cheat_Sheet
- Roslyn Security Guard帖子: https://dotnet-security-guard.github. io/SG0001.htm
- OWASP post: https://www.owasp.org/index.php/OS_Command_Injection_Defense_Cheat_Sheet
- Roslyn Security Guard post: https://dotnet-security-guard.github.io/SG0001.htm
这是我根据这些帖子进行修改后的代码.
And here is my code after modifying based on that posts.
filename = Regex.Replace(filename, "[^a-zA-Z0-9_]", "_") & ".svg"
ProcessStartInfo startInfo = default(ProcessStartInfo);
Process pStart = new Process();
startInfo = new ProcessStartInfo();
startInfo.FileName = myExecutedFilePath;
startInfo.Arguments = "\"" + filename + "\" --export-pdf=\"" + filename + "\""; **//Veracode still reports the issue at this line**
pStart.StartInfo = startInfo;
pStart.Start();
pStart.WaitForExit();
但是,Veracode仍报告操作系统命令注入.
BUT, Veracode still reports OS command injection.
所以我在这里担心的是:
So my concerns here are:
-
在这种情况下,我是否应用了正确的解决方案来解决OS命令注入?
Did I apply the correct solution to solve OS command injection in this case?
或者,我应该为此提出缓解建议吗?
Or, Should I propose mitigation for it?
推荐答案
我收到了Veracode的答复.
I have received the answer from Veracode.
您是正确的,在ProcessStartInfo对象中分隔文件路径和参数是一个很好的开始,并且验证文件名以仅包含字母数字字符也将有所帮助.
"You are right that separating the file path and arguments in the ProcessStartInfo object is a good beginning and that validating the filename to only include alphanumeric characters should also help.
静态引擎仍将其报告为缺陷的可能原因是Veracode无法识别用于CWE 78的.NET的任何清理功能.因此,每当我们看到用户输入传递给表示以下内容的函数时,一个命令接收器",我们将其标记为CWE78.我们也不会评估正则表达式字符串的准确性/有效性,因此即使正则表达式完全正确,我们仍会标记该缺陷.
The likely reason the static engine is still reporting this as a flaw is that Veracode doesn't recognize any cleansing functions for .NET for CWE 78. Because of this, any time we see user input being passed to a function that represents a command "sink" we will flag as CWE 78. We also don't evaluate the accuracy/efficacy of regex strings, so even if the regex were completely accurate we would still flag the flaw.
两个建议:
- 如果您需要我们的其中一项,请考虑安排咨询 应用程序安全顾问,以帮助验证您所做的更改在上下文中是否正确.
- 一旦您百分百满意地解决了问题 解决了该缺陷,我建议在缓解措施中对此进行记录. "
- Consider scheduling a consultation if you want one of our application security consultants to help validate that your changes are correct in context.
- Once you're 100% comfortable that your fix addresses the flaw, I recommend documenting this in a mitigation. "
这篇关于在我将解决方案作为OWAPS和Roslyn Security Guard的建议应用后,Veracode仍然报告OS命令注入问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
