OS Command Injection
Description
The code uses subprocess with untrusted input, which can lead to OS command injection. An attacker could inject malicious commands, potentially leading to code execution or data breaches.
Examples
Insecure Code
python
subprocess.Popen('ls ' + input(), shell=True)Secure Code
python
subprocess.Popen(['ls', input()], stdout=subprocess.PIPE)Remediation
Use subprocess with the 'args' parameter instead of 'shell=True' to avoid executing untrusted input. Ensure all input is properly sanitized and validated.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0152 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-78 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | os-command-injection, injection |
| OWASP | A1:2017-Injection, A03:2021-Injection |