OS Command Injection
Description
The code uses a shell to execute a process, which may be vulnerable to OS command injection attacks. This could allow an attacker to inject malicious commands and execute them on the system.
Examples
Insecure Code
python
os.system("ls -l " + user_input + "")Secure Code
python
import subprocess; subprocess.run(["ls", "-l", user_input])Remediation
Use the subprocess module with the args parameter to avoid shell injection, or validate and sanitize any user input before passing it to the shell.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0147 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-78 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | os-command-injection, shell-injection |
| OWASP | A1:2017-Injection, A03:2021-Injection |