OS Command Injection
Description
The code uses functions that can lead to OS command injection, which occurs when an attacker is able to inject and execute system commands. This can happen when user input is not properly sanitized and is used in a command that is executed by the system.
Examples
Insecure Code
python
os.system('ls -l ' + filename)Secure Code
python
import subprocess
subprocess.run(['ls', '-l', filename])Remediation
Use the subprocess module with the args parameter to avoid shell injection. For example, instead of os.system('ls -l ' + filename), use subprocess.run(['ls', '-l', filename])
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0148 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-78 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | os-command-injection, shell-injection |
| OWASP | A1:2017-Injection, A03:2021-Injection |