OS Command Execution with Partial Paths
Description
Avoid using process execution functions with non-absolute or partially constructed paths. This can lead to command injection vulnerabilities, allowing attackers to execute arbitrary system commands.
Examples
Insecure Code
python
os.system('ls ' + user_input)Secure Code
python
os.system('/bin/ls')Remediation
Use absolute paths or ensure that the input to the process execution functions is properly sanitized and validated.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0266 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-78 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | command injection, path traversal |
| OWASP | A03:2021-Injection |