Jump to content

Ensure Run Parameters get used as parameters


Recommended Posts

Hi all,

I have an issue in which I have to use Run() over ShellExecute() due to differences in how each handles symlinks. Specifically, Run() does not trigger set Image File Execution Options, however ShellExecute() does. This requires me to do

Run($sPath & $sArgs)

This gives me some concern about allowing unintended code to be executed instead of being directly passed as an argument to $sPath.

Is there anyway I can have the safety of ShellExecute, while specifically using Run() or another command?

Edited by rcmaehl

My UDFs are generally for me. If they aren't updated for a while, it means I'm not using them myself. As soon as I start using them again, they'll get updated.

My Projects

WhyNotWin11
Cisco FinesseGithubIRC UDFWindowEx UDF

 

Link to comment
Share on other sites

  • rcmaehl changed the title to Ensure Run Parameters get used as parameters

I imagine that you'll have to handle the sanitization of the $sArgs yourself, likely disallow anything after "&" for example as a first step to prevent a second command from being run.

This function may also be of interest when first thinking about your problem (since I recently was looking at it): _WinAPI_PathGetArgs - https://www.autoitscript.com/autoit3/docs/libfunctions/_WinAPI_PathGetArgs.htm But reading its remarks make me think then again maybe not: "This function should not be used on generic command path templates (from users or the registry), but rather should be used only on templates that the application knows to be well formed."

The other option would be that if you know what CMD things shouldn't be allowed, only parse $sArgs up to that point. I'm certainly no Windows/CMD guru, but I know at least "&" and "|" should probably be blocked (unless contained inside quotes, maybe?).

So you could try some RegEx. I think some of the simplest you could do would be: (^[^&|]*)

That should only return/match everything until the first "&" or "|". If you NEED to be able to match those characters as part of a parameter, it likely starts becoming more complex.

Reading up a little, you can use a caret "^" to escape special characters as well, so you could prefix any 'special' character with ^ and likely just end up invalidating the whole command:

Global $sEscapePattern = '([&|()<>])' ; Technically ^ may be a character you want to replace.

Func __Sanitize_RegEx($sString)
    Return StringRegExpReplace($sString, $sEscapePattern, '^$1')
EndFunc

It might be easier to help or answer the question if you can give any examples of what you're expecting to encounter, or potential valid/invalid uses.

We ought not to misbehave, but we should look as though we could.

Link to comment
Share on other sites

On 3/20/2023 at 12:43 AM, mistersquirrle said:

It might be easier to help or answer the question if you can give any examples of what you're expecting to encounter, or potential valid/invalid uses.

Unfortunately, the input is partially user controlled so I don't have a lot of control over it.

I've found _WinAPI_CreateProcess works, but I'm having issues getting command line arguments to be handled by it.

EDIT: Actually I think I got _WinAPI_CreateProcess to work with arguments

Edited by rcmaehl

My UDFs are generally for me. If they aren't updated for a while, it means I'm not using them myself. As soon as I start using them again, they'll get updated.

My Projects

WhyNotWin11
Cisco FinesseGithubIRC UDFWindowEx UDF

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...