When executing an OS command and unless you specify the full path to the executable, then the locations in your application’s PATH
environment variable will be searched for the executable. That search could leave an opening for an attacker if one of the elements in
PATH
is a directory under his control.
Ask Yourself Whether
- The directories in the PATH environment variable may be defined by not trusted entities.
There is a risk if you answered yes to this question.
Recommended Secure Coding Practices
Fully qualified/absolute path should be used to specify the OS command to execute.
Sensitive Code Example
Process p = new Process();
p.StartInfo.FileName = "binary"; // Sensitive
Compliant Solution
Process p = new Process();
p.StartInfo.FileName = @"C:\Apps\binary.exe"; // Compliant
See