Skip to content

Fix command injection vulnerability in WSL certificate trust#64969

Merged
danegsta merged 4 commits intodanegsta/wslCertTrustfrom
copilot/sub-pr-64966
Jan 7, 2026
Merged

Fix command injection vulnerability in WSL certificate trust#64969
danegsta merged 4 commits intodanegsta/wslCertTrustfrom
copilot/sub-pr-64966

Conversation

Copy link
Contributor

Copilot AI commented Jan 7, 2026
edited
Loading

Fix command injection vulnerability in WSL certificate trust

  • You've read the Contributor Guide and Code of Conduct.
  • You've included unit or integration tests for your change, where applicable.
  • You've included inline docs for your change, where applicable.
  • There's an open issue for the PR that you are making. If you'd like to propose a new feature or change, please open an issue to discuss the change or find an existing issue.

Fix command injection vulnerability in PowerShell command construction for WSL certificate trust

Description

The TryTrustCertificateInWindowsStore method was vulnerable to command injection through paths containing double quotes, which could break out of the -Command "..." shell string. Since certificatePath can be influenced by the DOTNET_DEV_CERTS_OPENSSL_CERTIFICATE_DIRECTORY environment variable, malicious values could execute arbitrary commands.

Changes

  • Use -EncodedCommand with Base64 encoding: Encode the PowerShell script as UTF-16LE Base64 before passing to powershell.exe, eliminating command shell escaping issues
  • Maintain PowerShell-level escaping: Keep single-quote escaping within the script to prevent PowerShell injection from breaking out of string literals

This provides two-layer protection: Base64 encoding prevents shell-level injection, single-quote escaping prevents PowerShell-level injection.

// Before: vulnerable to paths with double quotes
var startInfo = new ProcessStartInfo(PowerShellCommand, 
    $"-NoProfile -NonInteractive -Command \"{powershellScript}\"")

// After: Base64-encoded, immune to shell injection
var encodedCommand = Convert.ToBase64String(System.Text.Encoding.Unicode.GetBytes(powershellScript));
var startInfo = new ProcessStartInfo(PowerShellCommand, 
    $"-NoProfile -NonInteractive -EncodedCommand {encodedCommand}")

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI mentioned this pull request Jan 7, 2026
Merged
Copilot AI and others added 3 commits January 7, 2026 20:14
@danegsta
Fix command injection vulnerability using -EncodedCommand with Base64
e31abab 
Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com>
@danegsta
Remove redundant string escaping since Base64 encoding handles all sp…
497b40f 
…ecial characters

Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com>
@danegsta
Re-add PowerShell single-quote escaping to prevent injection within P…
bcbf3ac 
…S script

Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com>
Copilot AI changed the title [WIP] Update dev cert support for Windows certificate store in WSL Fix command injection vulnerability in WSL certificate trust Jan 7, 2026
Copilot AI requested a review from danegsta January 7, 2026 20:21
@danegsta danegsta marked this pull request as ready for review January 7, 2026 20:22
@danegsta danegsta merged commit 1b95e15 into danegsta/wslCertTrust Jan 7, 2026
6 of 20 checks passed
@danegsta danegsta deleted the copilot/sub-pr-64966 branch January 7, 2026 20:23
This was referenced Jan 7, 2026
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danegsta danegsta Awaiting requested review from danegsta

Assignees

@danegsta danegsta

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@danegsta