Form input escaping

McAndersDK · September 30, 2020, 10:09am

Is this even a thing in powershell?

do I need to makre sure that the input is safe before I use it forward ?
like input to native commands ? or as parameter to SQL ?`
Do we have something in powershell or .net to make sure we handle this?

adam · September 30, 2020, 11:31am

I think it kind of depends how you are using that data. If you are passing it to SQL, you’ll definitely need to do some sanitization to avoid injection. If you are passing it to the command line, I could see a similar issue. You probably wouldn’t want to just allow bare strings to be passed to command line utils as users could end up injecting additional commands into that command line.

I’d also be careful using Invoke-Expression at all as users could then potentially run whatever PS command they want.

What is your form doing? I’d be curious as this is an issue that isn’t brought up much but is important. It might be good to put together some official guidance around this.

McAndersDK · September 30, 2020, 11:34am

this particular is sending commands to a RCON server.
(broadcast messages)
but I use a native rcon command to send them off.

insomniacc · September 30, 2020, 12:48pm

Mirroring Adams sentiments, its going to depend on the systems involved and how you’re intending to do it, I dont really know anything about rcon servers (minecraft?) so I’m not sure security wise how easy/difficult it would be to break out from the context of those commands and elevate.
Definitely agree, don’t allow any native command to be passed through from web ui to execution as they can and will be a security hole.
For SQL, I use invoke-sqlcmd2 as it has -SqlParameters which allows you to setup parameterized queries.

McAndersDK · September 30, 2020, 12:50pm

yeah, but how ?
would it be enought to do a -replace “AllDangerChar”,’’ ?
and what would that be?

adam · September 30, 2020, 1:13pm

I don’t know if you’ll necessarily need to escape anything. Anything you pass to your RCON command line tool is just going to be treated like a string.

PS C:\Users\adamr> $test = ';Write-Host "hey"'
PS C:\Users\adamr> ping localhost $test
Bad parameter ;Write-Host hey.

So it depends what the RCON command accepts. If you can use it maliciously, then you will want to check the input or restrict it to a set of options.

I think the most dangerous thing would be doing something like this.

Invoke-Expression "rcon $parameter"

adam · September 30, 2020, 1:19pm

The PowerShell Team did a talk at Defcon about this: https://devblogs.microsoft.com/powershell/powershell-injection-hunter-security-auditing-for-powershell-scripts/

Seems like they made a tool to help detect it as well: https://www.powershellgallery.com/packages/InjectionHunter/1.0.0

Topic		Replies	Views
Question around form validation PowerShell Universal	3	355	February 10, 2021
Here-strings @""@ Universal Dashboard Help	3	993	June 25, 2019
Newb alert, trouble getting started: Dashboard card to invoke script PowerShell Universal	0	283	November 28, 2022
Form Input (like ComboBox ) PowerShell Universal	4	301	December 23, 2021
Automation [String[]] parameter PowerShell Universal	1	293	September 17, 2021

Form input escaping

Related topics