OS Command Injection
Description
OS command injection is a critical vulnerability that can lead to a full system compromise as it may allow an adversary to pass in arbitrary commands or arguments to be executed. User input should never be used in constructing commands or command arguments to functions which execute OS commands.
Examples
Insecure Code
java
ProcessBuilder processBuilder = new ProcessBuilder("/opt/app/path", userFileData);Secure Code
java
String fileName = UUID.randomUUID().toString(); ProcessBuilder processBuilder = new ProcessBuilder("/opt/app/path", fileName);Remediation
Use a hardcoded set of arguments that are to be passed to OS commands. If filenames are being passed to these functions, use a hash of the filename or some other unique identifier. Consider using a native library that implements the same functionality instead of using OS system commands.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0705 |
| Category | Injection |
| Severity | CRITICAL |
| CWE | CWE-78 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | os-command-injection, injection |
| OWASP | A1:2017-Injection, A03:2021-Injection |