SCO 2012: Best Practice – Inserting user input safely into Run .Net Script Activity

after a good discussion at TechNet (Read here), i think we have reached a solution that works.

Problem:

When we are running PowerShell in Orchestrator using published data we insert it directly into the script.

This means that part of the input can contain characters that is able to run malicious code, or just break the script.

f.x. if we use double quotes (") around the input, and the input contains a double quote, it will break the script.

Solution:

Use single quote here-string and make sure that your syntax follows this example:

[System.String] $retrievedUserInput=@’
<insert space><insert published data here>
‘@
$input = $input.Substring(1)

The important part is to use the single quote here string and make sure to insert and extra space before the published data

you can more info about here strings here

(Notice: This is my own suggestion of best practice)

Om forfatteren: Jakob Gottlieb Svendsen

Twitter: @JakobGSvendsen

Jakob Gottlieb Svendsen is a Microsoft Cloud and Data Center Management MVP (http://mvp.microsoft.com/en-us/default.aspx), Working as Global Lead Developer, Senior Consultant and Trainer at CTGlobal, where he is one of the driving forces in keeping CTGlobal a System Center Gold Partner and member of the System Center Alliance.

Since he started at Coretech in 2007, he has focused on Scripting and Development, primarily developing tools, extensions and scripts for the System Center Suite. His main area is Automation (including OMS/Azure Automation, Service Management Automation, PowerShell and Orchestrator). Another area is Windows Azure Pack / Azure Stack, where he does implementation, development, workshops and presentations. He is a world-wide renowned voice in the Automation field.

He is passionately devoted to the community, to which he contributes by being a moderator at TechNet and sharing his knowledge at https://blog.ctglobalservices.com/jgs

Co-founder: PowerShell User Group Denmark
Speaker at MMS 2016, Minneapolis (www.mmsmoa.com)
SCU Europe 2014, 2015, 2016 (www.systemcenteruniverse.ch)
Microsoft TechEd North America 2014, Houston
NIC 2012,2013,2014,2015, Oslo (www.nic.com)
Microsoft CampusDays 2011, 2013, Copenhagen
Microsoft TechDays 2015, Sweden (www.techdays.se)
Microsoft Partner Event: New in SC2012 SP1
User group meetings (PSUG.DK , SCUG.DK/BE/NO, AZMUG + more)
Microsoft Certified Trainer.
Microsoft Scripting Guys Forum Moderator

Main working areas:

Automation (Azure Automation, SMA, SCO)
Windows Azure Pack / Azure Stack
System CenterVisual Studio Team Services / Team Foundation Server
Development:C#.Net, VB.NET, VBScript, PowerShell, Service Manager, OpsMgr, ConfigMgr
Orchestrator
Windows Azure Pack / Azure Stack

Training:

Azure Automation
Service Management Automation
System Center Orchestrator
PowerShell, VBScript, C#.Net, VB.Net
Windows Azure Pack / Azure Stack Development Workshops

En kommentar

Deepak februar 5, 2018 af 15:05

Hi Jakob

Thanks for sharing the information. but this does not really solve all crafted input. This one can still run.

$string = @’
‘@; get-service;sfasdfa
sdfasdfa
‘@ ; get-service ; @’
‘@

input publish data could not line break and next line they could close the ‘@; before issuing the injected statement.

Cheers
Deepak

Der er lukket for kommentarer.

SCO 2012: Best Practice – Inserting user input safely into Run .Net Script Activity

Share This Story, Choose Your Platform!

Om forfatteren: Jakob Gottlieb Svendsen

Beslægtede indlæg

Azure Automation Form Generator

PowerShell: Setting Azure Active Directory Diagnostics Forwarding

SCCM: Improved MDT – “Execute Runbook” Script

#PS5.1–Import-PSSession against JEA endpoint Error

Disabling LEDBaT on Your Windows 2016/2019 Server

En kommentar