C#-CWE-20

Improper Input Validation (CWE-20): application fails to validate or sanitize input, allowing unexpected values

Required inputs: CSharpAST

This rule detects **Improper Input Validation (CWE-20)** where user-controlled or external input is used without proper validation or sanitization. Improper validation can lead to a wide range of vulnerabilities depending on how the input is later used (logic errors, crashes, injection, access control bypasses, etc.). Example (unsafe — OS command injection):

public IActionResult Run(string cmd)
{
    // Dangerous: user input is concatenated into a shell command.
    // An attacker can provide something like: "dir && del C:\important\file"
    var psi = new ProcessStartInfo("cmd.exe", "/c " + cmd)
    {
        UseShellExecute = false
    };
    Process.Start(psi); // user input → OS command injection
    return Ok();
}

Fix (validate, whitelist, avoid shell where possible):

public IActionResult Run(string cmd)
{
    // Recommended: use a strict whitelist of allowed commands or map user input to safe, predefined commands.
    var allowed = new[] { "list-files", "show-status" };
    if (!allowed.Contains(cmd))
        return BadRequest("command not allowed");

    // Map the safe command to a known executable/argument set (do not forward raw user input to shell).
    if (cmd == "list-files")
    {
        var psi = new ProcessStartInfo("C:\Tools\SafeList.exe", "--all")
        {
            UseShellExecute = false
        };
        Process.Start(psi);
    }

    return Ok();
}

Possible Messages

Key	Text	Severity	Disabled
tainted_input	Input is used without proper validation or sanitization.	None	False

Options

• This rule shares the following common options: excludes, includes, justification_checker, post_processing, provider, severity

• The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions

• This rule has no individual options.