Our product provide a powershell operation interface for the Customer, these function target to .NET Framework and based on Microsoft system.management.automation 6.1.7601.17515, , But the a code security analysis tool VeraCode Scan report
there is a serious security flaw.
The veracode report shown as below:
Description
Improper Neutralization of Special Elements used in an OS Command
Description
This call contains a command injection flaw. The argument to the function is constructed using untrusted input. If an attacker is allowed to specify all or part of the command, it may be possible to execute commands on the server
with the privileges of the executing process. The level of exposure depends on the effectiveness of input validation routines, if any.
Recommendations
Validate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. When using black lists, be sure that the sanitizing routine performs a sufficient number of
iterations to remove all instances of disallowed characters. Most APIs that execute system commands also have a "safe" version of the method that takes an array of strings as input rather than a single string, which protects against some forms of
command injection.
Instances found via Static Scan
|
Flaw Id |
Module |
Location |
Exploitability |
Fix By |
| 105 |
system.management.automation.dll |
void ConnectAsync() 76% |
Likely |
9/11/19 |
We don't sure if the DLL really has this security flaw, or the Veracode scan tool report it by a mistake?
Though the latest version of this DLL has not this flaw, but it is based on latest version of .NET Core. And our product based on .NET Framework. Move it from the .NET Framework to .NET Core means lots of work. So we want to check if it is really a security
flaw? If sure, can you please give some advice about how to enhance the security? Thanks.
