CS.SV.TAINTED.INJECTION
Command Injection IN C#
Whenever a string input is accepted from the user or the outside environment, it should be validated for type, length, format, and range before it is used. Until properly validated, the data is said to be tainted. The CS.SV.TAINTED family of checkers looks for the use of tainted data in code.
The CS.SV.TAINTED.INJECTION checker flags code where a tainted string can be used as a parameter for routines that invoke external processes.
Vulnerability and risk
- provide unexpected values and cause a program crash
- cause excessive resource consumption
- read confidential data
- use malicious input to modify data or alter control flow
- execute arbitrary commands
- run any process that an attacker may want to run
Mitigation and prevention
To avoid tainted input errors
- Understand all the potential areas in which untrusted inputs could enter your software: parameters or arguments, cookies, input read from the network, environment variables, reverse DNS lookups, query results, filenames, databases, and any external systems.
- Use an allowed list or 'known good' policy for inputs rather than relying only on a blocked list or 'known bad' strategy.
- Validate all relevant properties of the input, including length, type of input, ranges, missing or extra inputs, syntax, and consistency.
- If there are security checks on the client side of an application, ensure the security checks are duplicated on the server side.
- If the application combines inputs from multiple sources, perform the validation after the sources have been combined.
Vulnerable code example 1
using System;
using System.Diagnostics;
namespace TaintedResource
{
class TestTaintedInjection
{
public static void TaintedResourceExample1()
{
string taintedString1 = Console.ReadLine();
Process.Start(taintedString1); // CS.SV.TAINTED.INJECTION
}
}
}
Klocwork produces an issue report at line 10, indicating that, “Unvalidated string 'taintedString1' is received from an external function through a call to 'ReadLine' at line 9 that can be run as command line through call to 'Start' at line 10. User input can be used to cause arbitrary command execution on the host system. Check strings for length and content when used for command execution”. In this case, potentially tainted data is used to start a process, which could be exploited by a malicious user.
Vulnerable code example 2
using System;
using System.Diagnostics;
namespace TaintedResource
{
class TestTaintedInjection
{
public static void TaintedResourceExample1()
{
string taintedString = Console.ReadLine(); // tainted source
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = taintedString;
Process proc = new Process();
proc.StartInfo = psi;
proc.Start(); // CS.SV.TAINTED.INJECTION
}
}
}
Klocwork produces an issue report at line 10, indicating that, “Unvalidated string 'taintedString' is received from an external function through a call to 'ReadLine' at line 9 that can be run as command line through call to 'Start' at line 14. User input can be used to cause arbitrary command execution on the host system. Check strings for length and content when used for command execution”. In this case, potentially tainted data is used to start a process, which could be exploited by a malicious user.
Related checkers
External guidance
Security training
Application security training materials provided by Secure Code Warrior.