Potential for OS command injection
Description
It is generally not recommended to call out to the operating system to execute commands. When the application is executing file system based commands, user input should never be used in constructing commands or command arguments. If possible, determine if a library can be used instead to provide the same functionality. Otherwise, consider hard coding both the command and arguments to be used, or at the very least restricting which arguments can be passed to the command execution function.
Examples
Insecure Code
c
execl("/bin/sh", "sh", "-c", user_input, NULL);Secure Code
c
execl("/bin/ls", "ls", NULL);Remediation
Use a library or hard code the command and arguments to prevent user input from being used in command construction.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0614 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-78 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | os-command-injection |
| OWASP | A1:2017-Injection, A03:2021-Injection |