OS Command Injection
Description
OS command injection is a critical vulnerability that can lead to a full system compromise as it may allow an adversary to pass in arbitrary commands or arguments to be executed. User input should never be used in constructing commands or command arguments to functions which execute OS commands.
Examples
Insecure Code
ruby
user_input = params[:user_input]; system('grep', user_input, 'my_file.txt')Secure Code
ruby
require 'open3'; user_input = params[:user_input]; allowed_arguments = ['allowed_argument1', 'allowed_argument2']; if allowed_arguments.include?(user_input); stdout, stderr, status = Open3.capture3('grep', user_input, 'my_file.txt'); endRemediation
Validate input against a strict pattern, sanitize input by escaping or removing potentially dangerous characters, use secure methods designed to execute system commands with parameters, and run the application with the least privileges necessary.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0541 |
| Category | Injection |
| Severity | CRITICAL |
| CWE | CWE-94 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | os-command-injection, code-injection |
| OWASP | A1:2017-Injection, A03:2021-Injection |
References
- https://guides.rubyonrails.org/security.html#command-line-injection
- https://github.com/semgrep/semgrep-rules/blob/develop/ruby/lang/security/dangerous-exec.yaml