C#-CWE-77

The product constructs commands or command-like strings using externally-influenced input from an upstream component, but it does not properly neutralize or validate special elements that could change the meaning of the command when sent to a downstream component (leading to command injection or unintended command modification)

Required inputs: CSharpAST

This rule detects OS command injection vulnerabilities, where user input is used to build operating system commands without proper validation or sanitization, which may allow attackers to execute arbitrary commands. Example of a safe implementation in C# using ArgumentList to safely add arguments:

public static void SafeProcessStart(string userInput)
{
    var startInfo = new ProcessStartInfo
    {
        FileName = "ping.exe",
        RedirectStandardOutput = true,
        UseShellExecute = false,
        CreateNoWindow = true
    };

    // Add user input as a separate argument to avoid command injection
    startInfo.ArgumentList.Add(userInput);

    using (var process = Process.Start(startInfo))
    {
        string output = process.StandardOutput.ReadToEnd();
        process.WaitForExit();
        Console.WriteLine(output);
    }
}

Possible Messages

Key	Text	Severity	Disabled
direct_arguments_assignment	Only constants are allowed on assignment to Arguments, for others use “ArgumentList.Add”.	None	False

Options

• This rule shares the following common options: excludes, includes, justification_checker, post_processing, provider, severity

• The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions

• This rule has no individual options.