Command Injection (CWE-78) - Security Vulnerability

Improper Neutralization of Special Elements used in an OS Command

User input is passed unsanitized to system shell commands, allowing attackers to execute arbitrary commands on the server.

Verbreitung

Common

Found in many applications

Auswirkung

Critical

Full server compromise

Prävention

Avoid shell

Use execFile, not exec

2 Prävention

So behebst du diese Schwachstelle

Präventionsstrategien für OS Command Injection basierend auf 3 Shoulder-Erkennungsregeln.

🐹 Go Alle anzeigen Go Details →

Command Injection via os/exec CRITICAL

Use exec.Command with explicit arguments, never shell invocation

+14 -6 go

  package main
  
  import (
      "net/http"
      "os/exec"
- )
- 
- func handler(w http.ResponseWriter, r *http.Request) {
-     cmd := r.URL.Query().Get("cmd")
-     // Vulnerable: shell invocation with user input
-     output, _ := exec.Command("sh", "-c", cmd).Output()
+     "regexp"
+ )
+ 
+ var safePattern = regexp.MustCompile(`^[a-zA-Z0-9._-]+$`)
+ 
+ func handler(w http.ResponseWriter, r *http.Request) {
+     filename := r.URL.Query().Get("file")
+     // Validate input
+     if !safePattern.MatchString(filename) {
+         http.Error(w, "Invalid filename", http.StatusBadRequest)
+         return
+     }
+     // Safe: explicit command with validated argument
+     output, _ := exec.Command("cat", filename).Output()
      w.Write(output)
  }

🟨 JavaScript Alle anzeigen JavaScript Details →

Command Injection via child_process CRITICAL

Use execFile/spawn with array arguments instead of exec with string commands

+5 -5 javascript

- const { exec } = require('child_process');
- 
- app.get('/convert', (req, res) => {
-   const filename = req.query.file;
-   exec(`convert ${filename} output.png`, (err, stdout) => {
+ const { execFile } = require('child_process');
+ 
+ app.get('/convert', (req, res) => {
+   const filename = req.query.file;
+   execFile('convert', [filename, 'output.png'], (err, stdout) => {
      res.send('Converted');
    });
  });

🐍 Python Alle anzeigen Python Details →

OS Command Injection CRITICAL

Use subprocess.run with list arguments and shell=False

+1 -1 python

  import subprocess
  from flask import request
  
  @app.route('/convert')
  def convert():
      filename = request.args.get('file')
-     subprocess.run(f'convert {filename} output.png', shell=True)
+     subprocess.run(['convert', filename, 'output.png'], check=True)
      return 'Done'

3 Erkennung

Finden Sie Schwachstellen in Ihrem Code

Verwenden Sie Shoulder, um Ihren Code nach Command Injection-Mustern zu scannen. 3 Regeln.

Terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=78

# Or scan entire project
npx @shoulderdev/cli trust .

Erkennungsregeln (3)

🐹 Go 1 rules

Command Injection via os/exec CRITICAL

Detects user input flowing to os/exec command execution, enabling OS command injection.

🟨 Javascript 1 rules

Command Injection via child_process CRITICAL

Detects user input flowing to shell command execution functions.

🔷 Typescript 1 rules

Command Injection via child_process CRITICAL

Detects user input flowing to shell command execution functions.

🐍 Python 1 rules

OS Command Injection CRITICAL

Detects untrusted user input flowing into operating system command execution functions without proper sanitization.

4 Warnzeichen

Worauf bei Code-Reviews zu achten ist

Diese Muster weisen auf potenzielle Command Injection-Schwachstellen hin. Achten Sie bei Code-Reviews und Sicherheitsaudits darauf.

🔴

user input flowing to os/exec command execution, enabling OS command injection go-command-injection

🔴

user input flowing to shell command execution functions javascript-command-injection

🔴

untrusted user input flowing into operating system command execution functions without proper saniti python-command-injection

5 Code-Audit

Manuelle Review-Muster

Bei der manuellen Code-Review nach diesen gefährlichen Mustern suchen.

Warnsignale, nach denen man suchen sollte

query = + String-Verkettung

execute(f"... or execute("..." +

raw_query, rawQuery, executeRaw

${ or #{ innerhalb von SQL-Strings

6 Expertenanalyse

Wie Sicherheitsexperten denken

Das mentale Modell, das Sicherheitsexperten beim Review dieser Schwachstelle verwenden.

Einstiegspunkte kartieren

URL-Parameter, POST-Bodies, Header, Cookies, Datei-Uploads.

Datenfluss verfolgen

Verfolge die Eingabe durch den Code. Wird sie bereinigt?

Senken identifizieren

Where queries are executed: execute(), query()

Vertrauensgrenzen prüfen

Achte auf gespeicherte Daten, die in Abfragen verwendet werden.

🔍

Scanne deine Codebasis nach Command Injection

Shoulder CLI findet anfällige Muster in deiner gesamten Codebasis.

npx shoulder trust Alle Regeln durchsuchen