Command Injection
Description
The software constructs an OS command using externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command.
Examples
Insecure Code
c
system(user_input);Secure Code
c
system("ls -l");Remediation
Validate and sanitize all input used to construct OS commands. Consider using a whitelist approach to only allow expected input.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0677 |
| Category | Injection |
| Severity | CRITICAL |
| CWE | CWE-88 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | command injection, os command |
| OWASP | N/A |
References
- https://www.sei.cmu.edu/downloads/sei-cert-c-coding-standard-2016-v01.pdf
- https://cwe.mitre.org/data/definitions/676
- https://cwe.mitre.org/data/definitions/78
- https://g.co/kgs/PCHQjJ
- https://cwe.mitre.org/data/definitions/88