C#-CWE-78

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component

Required inputs: CSharpAST

This rule detects OS command injection vulnerabilities, where user input is used to build operating system commands without proper validation or sanitization, which may allow attackers to execute arbitrary commands. Example of a safe implementation in C# using ArgumentList to safely add arguments:

public static void SafeProcessStart(string userInput)
{
    var startInfo = new ProcessStartInfo
    {
        FileName = "ping.exe",
        RedirectStandardOutput = true,
        UseShellExecute = false,
        CreateNoWindow = true
    };

    // Add user input as a separate argument to avoid command injection
    startInfo.ArgumentList.Add(userInput);

    using (var process = Process.Start(startInfo))
    {
        string output = process.StandardOutput.ReadToEnd();
        process.WaitForExit();
        Console.WriteLine(output);
    }
}

Possible Messages

Key	Text	Severity	Disabled
direct_arguments_assignment	Only constants are allowed on assignment to Arguments, for others use “ArgumentList.Add”.	None	False

Options

• This rule shares the following common options: excludes, includes, justification_checker, post_processing, provider, severity

• The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions

• This rule has no individual options.