3

I want to open a text file programmatically using C#. I have used :

System.Diagnostics.Process.Start(test.txt);

but this code is causing OS command injection problem when scanning for threats.

Is there any way that i can open a text file programmatically?? or way to bypass that OS command injection?

Thank you

Amith
  • 6,818
  • 6
  • 34
  • 45
user3024468
  • 49
  • 1
  • 2

2 Answers2

1

You should call a program, say notepad:

Process.Start("notepad.exe", fileName);

the argument is the file name:

 Process.Start("notepad.exe", "Test.txt");

See the problem with your code in the comments of this post: Open a file with Notepad in C#

Community
  • 1
  • 1
omer schleifer
  • 3,897
  • 5
  • 31
  • 42
  • I am trying this solution now and will sumit a scan. Thanks for the immediate reply. – user3024468 Jan 14 '14 at 08:59
  • This doesnot solve the issue, it is still catching the process.start as OS COMMAND INJECTION. – user3024468 Jan 14 '14 at 11:59
  • Are you actually putting in a string such as "this_is_hard_coded.txt" or just passing an argument without any validation? see : https://www.owasp.org/index.php/OS_Injection – omer schleifer Jan 14 '14 at 12:40
  • First time : var test = "test.txt" process.start(test) I had even validated the variable to check if there it contain 'txt' – user3024468 Jan 14 '14 at 12:59
  • yes , but have you tried passing notepad.exe and test.txt both as hard coded strings (not from args) - if this doesn't work for you I have to give up :) – omer schleifer Jan 15 '14 at 07:50
  • yes i have tried this process.start("notepad.exe","test.txt") - The scan is still pointing this as a threat – user3024468 Jan 15 '14 at 11:14
0

Try:

 System.Diagnostics.Process process = new System.Diagnostics.Process();
 System.Diagnostics.ProcessStartInfo startInfo = new 
 System.Diagnostics.ProcessStartInfo();
 startInfo.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden;
 startInfo.FileName = "cmd.exe";
 string _path = "c:/filepath";
 startInfo.Arguments = string.Format("/C start {0}", _path);
 process.StartInfo = startInfo;
 process.Start();
Kirtan Magan
  • 31
  • 1
  • 2