# Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

- Prevalence: 높음 Shoulder 규칙 없음
- Impact: 높음 OWASP Top 10 #3
- Prevention: MITRE 참조 외부 참조

**OWASP:** Injection (A03:2021-Injection) - #3

## Description

Command injection vulnerabilities typically occur when data enters the application from an untrusted source, the data is part of a string that is executed as a command by the application, and the execution of the command allows the attacker to execute commands that they would not normally be able to execute.

## Prevention

## Consequences

- 승인되지 않은 명령 실행
- 애플리케이션 데이터 읽기
- 애플리케이션 데이터 수정
- DoS

## Mitigations

- 원하는 기능을 구현할 때는 외부 프로세스 대신 라이브러리 호출을 사용하세요
- 엄격한 경계를 강제하는 샌드박스 환경에서 코드를 실행하세요
- 이러한 약점을 허용하지 않는 검증된 라이브러리나 프레임워크를 사용하세요