有人知道如何修复 CWE 78 吗?操作系统命令中使用的特殊元素的不正确中和(“操作系统命令注入”)
这是我的代码在 veracode 扫描后有 CWE 78: https://cwe.mitre.org/data/definitions/78.html
private void textBox_PreviewMouseDoubleClick(object sender, System.Windows.Input.MouseButtonEventArgs e)
{
SysprepLogViewInfo log = lstView.SelectedItem as SysprepLogViewInfo;
if (log != null)
{
string Logfile = System.IO.Path.Combine(log.Location, log.DisplayName);
if (System.IO.File.Exists(Logfile))
Process.Start("notepad.exe", Logfile); // this line was flagged.
}
}
我的修复不起作用:
private void textBox_PreviewMouseDoubleClick(object sender,System.Windows.Input.MouseButtonEventArgs e)
{
SysprepLogViewInfo log = lstView.SelectedItem as SysprepLogViewInfo;
if (log != null)
{
string Logfile = System.IO.Path.Combine(log.Location, log.DisplayName);
var valDesc = new Regex(@"[a-zA-Z0-9\x20]+$");
if (!valDesc.IsMatch(Logfile))
{
System.Windows.MessageBox.Show(string.Format("log file selected is invalid."), "Error");
}
else
{
if (System.IO.File.Exists(Logfile))
Process.Start(Logfile);
}
}
}
另一个不起作用的修复:
private void textBox_PreviewMouseDoubleClick(object sender, System.Windows.Input.MouseButtonEventArgs e)
{
SysprepLogViewInfo log = lstView.SelectedItem as SysprepLogViewInfo;
if (log != null)
{
string Logfile = System.IO.Path.Combine(log.Location, log.DisplayName);
List<string> logList = new List<string>
{ "C:\\Windows\\Panther\\setupact.log",
"C:\\Windows\\Panther\\setuperr.log",
"C:\\Windows\\Panther\\UnattendGC\\setupact.log",
"C:\\Windows\\Panther\\UnattendGC\\setuperr.log",
"C:\\Windows\\System32\\sysprep\\Panther\\setupact.log",
"C:\\Windows\\System32\\sysprep\\Panther\\setuperr.log" };
if (!logList.Contains(Logfile))
{
System.Windows.MessageBox.Show(string.Format("The log file selected is invalid."), "Error");
}
else
{
if (System.IO.File.Exists(Logfile))
Process.Start(Logfile);
}
}
}
我有时使用与您的第二个修复类似的方法取得了成功。但不要将 logFile 变量传递给 Process.Start,而是使用您验证的字符串。即,不要只执行包含,而是将列表中的每个项目与您的路径进行比较,如果匹配,则将列表项目分配给新字符串,例如cleanedLogFile,并将cleanedLogFile传递给Process.Start。
清除警报的成功率约为 50/50。