Will It Vibe logoWill It Vibe?
CSHARP-004High severity-15 points

Process started with concatenated/interpolated arguments

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

Process.Start, ProcessStartInfo, or an Arguments assignment builds the command line from string concatenation or interpolation, so a value that reaches it can inject additional shell arguments or commands.

Why it matters

When the argument string passed to Process.Start (or set via ProcessStartInfo.Arguments) is built by gluing a literal to a variable, a value containing shell metacharacters or extra arguments can change what actually gets executed. This is command injection: an attacker-controlled string can run a different program, add flags, or chain a second command, often leading to full remote code execution.

How to fix it

Prefer the ArgumentList property on ProcessStartInfo (available since .NET Core), which passes each argument as a separate array entry with no shell parsing involved, instead of building one argument string. If you must build a single string, validate the input against a strict allow-list before use and never pass user input as a raw path or flag.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks