Ensure Run Parameters get used as parameters

[rcmaehl]

Hi all,

I have an issue in which I have to use Run() over ShellExecute() due to differences in how each handles symlinks. Specifically, Run() does not trigger set Image File Execution Options, however ShellExecute() does. This requires me to do

Run($sPath & $sArgs)

This gives me some concern about allowing unintended code to be executed instead of being directly passed as an argument to $sPath.

Is there anyway I can have the safety of ShellExecute, while specifically using Run() or another command?

Edited March 20, 2023 by rcmaehl

[mistersquirrle]

I imagine that you'll have to handle the sanitization of the $sArgs yourself, likely disallow anything after "&" for example as a first step to prevent a second command from being run.

This function may also be of interest when first thinking about your problem (since I recently was looking at it): _WinAPI_PathGetArgs - https://www.autoitscript.com/autoit3/docs/libfunctions/_WinAPI_PathGetArgs.htm But reading its remarks make me think then again maybe not: "This function should not be used on generic command path templates (from users or the registry), but rather should be used only on templates that the application knows to be well formed."

The other option would be that if you know what CMD things shouldn't be allowed, only parse $sArgs up to that point. I'm certainly no Windows/CMD guru, but I know at least "&" and "|" should probably be blocked (unless contained inside quotes, maybe?).

So you could try some RegEx. I think some of the simplest you could do would be: (^[^&|]*)

That should only return/match everything until the first "&" or "|". If you NEED to be able to match those characters as part of a parameter, it likely starts becoming more complex.

Reading up a little, you can use a caret "^" to escape special characters as well, so you could prefix any 'special' character with ^ and likely just end up invalidating the whole command:

Global $sEscapePattern = '([&|()<>])' ; Technically ^ may be a character you want to replace.

Func __Sanitize_RegEx($sString)
    Return StringRegExpReplace($sString, $sEscapePattern, '^$1')
EndFunc

It might be easier to help or answer the question if you can give any examples of what you're expecting to encounter, or potential valid/invalid uses.

[rcmaehl]

On 3/20/2023 at 12:43 AM, mistersquirrle said:

It might be easier to help or answer the question if you can give any examples of what you're expecting to encounter, or potential valid/invalid uses.

Unfortunately, the input is partially user controlled so I don't have a lot of control over it.

I've found _WinAPI_CreateProcess works, but I'm having issues getting command line arguments to be handled by it.

EDIT: Actually I think I got _WinAPI_CreateProcess to work with arguments

Edited March 22, 2023 by rcmaehl