Merge pull request #236 from AikidoSec/decode-url-strings

teta2k · web-flow · commit 2f1b3fdbe4f0 · 2026-02-05T14:01:11.000+01:00
Don't skip whoami%00
diff --git a/Aikido.Zen.Core/Vulnerabilities/ShellInjectionDetector.cs b/Aikido.Zen.Core/Vulnerabilities/ShellInjectionDetector.cs
@@ -81,8 +81,9 @@ private static bool ContainsShellSyntax(string command, string userInput)
             // Check if the command contains a commonly used command
             foreach (Match match in commandsRegex.Matches(command))
             {
-                if (userInput != match.Value)
+                if (!userInput.Contains(match.Value))
                 {
+                    // Don't skip whoami%00
                     continue;
                 }
 

Original file line number	Diff line number	Diff line change
`@@ -81,8 +81,9 @@ private static bool ContainsShellSyntax(string command, string userInput)`
`81`	`81`	`// Check if the command contains a commonly used command`
`82`	`82`	`foreach (Match match in commandsRegex.Matches(command))`
`83`	`83`	`{`
`84`		`- if (userInput != match.Value)`
	`84`	`+ if (!userInput.Contains(match.Value))`
`85`	`85`	`{`
	`86`	`+ // Don't skip whoami%00`
`86`	`87`	`continue;`
`87`	`88`	`}`
`88`	`89`