OS Command Injection
Description
The code invokes a subprocess without proper sanitization of user-provided input, which may lead to an OS command injection vulnerability. Although the subprocess is spawned without a command shell, care should still be taken to ensure the validity of input.
Examples
Insecure Code
python
subprocess.Popen(['echo', user_input])Secure Code
python
subprocess.Popen(['echo', sanitize_input(user_input)])Remediation
Validate and sanitize any user-provided input before passing it to the subprocess.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0150 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-78 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | os-command-injection, injection |
| OWASP | A1:2017-Injection, A03:2021-Injection |