OS Command Injection via exec Function
Description
The application calls the `exec` function with a non-literal variable, which can lead to OS command injection if the variable comes from user-supplied input. An adversary could compromise the entire system by executing arbitrary Python code.
Examples
Insecure Code
python
exec(user_supplied_data)Secure Code
python
user_object = json.loads(user_supplied_data)Remediation
Remove all calls to `exec` and consider alternative methods for executing the necessary business logic, such as using `json.loads` to load arbitrary data.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0145 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-78 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | os-command-injection, code-injection |
| OWASP | A1:2017-Injection, A03:2021-Injection |