OS Command Injection
Description
The code uses dynamic content when spawning a process, which is dangerous if external data can reach this function call. This allows a malicious actor to execute commands. Ensure no external data reaches here.
Examples
Insecure Code
python
os.system(input('Enter a command: '))Secure Code
python
os.system('ls -l')Remediation
Validate and sanitize any external input before using it to spawn a process. Consider using a whitelist approach to only allow specific, trusted commands to be executed.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0149 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-78 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | command injection, os command |
| OWASP | A1:2017-Injection, A03:2021-Injection |