OS Command Injection
Description
OS command injection is a critical vulnerability that can lead to a full system compromise as it may allow an adversary to pass in arbitrary commands or arguments to be executed. User input should never be used in constructing commands or command arguments to functions which execute OS commands.
Examples
Insecure Code
c#
System.Diagnostics.Process.Start(userInput);Secure Code
c#
public void ExecuteCommand(string userFileData) {
string fileName = "C:\\Temp\\" + Guid.NewGuid();
File.WriteAllText(fileName, userFileData);
using (Process process = new Process())
{
ProcessStartInfo processInfo = new ProcessStartInfo("C:\\App\\FileReader.exe");
processInfo.Arguments = fileName;
processInfo.UseShellExecute = false;
process.StartInfo = processInfo;
process.Start();
}
}Remediation
Use a hardcoded set of arguments that are to be passed to OS commands. If filenames are being passed to these functions, use a hash of the filename or some other unique identifier. Consider using a native library that implements the same functionality instead of using OS system commands.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0449 |
| Category | Injection |
| Severity | CRITICAL |
| CWE | CWE-78 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | OS Command Injection, Injection |
| OWASP | A1:2017-Injection, A03:2021-Injection |