# Command Injection (CWE-78) User input is passed unsanitized to system shell commands, allowing attackers to execute arbitrary commands on the server. - Prevalence: Common Found in many applications - Impact: Critical Full server compromise - Prevention: Avoid shell Use execFile, not exec **OWASP:** Injection (A03:2021-Injection) - #3 ## Description This could allow attackers to execute unexpected, dangerous commands directly on the operating system. This weakness can lead to a vulnerability in environments in which the attacker does not have direct access to the operating system. ## Prevention 3개의 Shoulder 탐지 규칙을 기반으로 한 OS Command Injection 예방 전략. ### Go Use exec.Command with explicit arguments, never shell invocation ### JavaScript Use execFile/spawn with array arguments instead of exec with string commands ### Python Use subprocess.run with list arguments and shell=False ## Warning Signs - [CRITICAL] user input flowing to os/exec command execution, enabling OS command injection - [CRITICAL] user input flowing to shell command execution functions - [CRITICAL] untrusted user input flowing into operating system command execution functions without proper saniti ## Consequences - 승인되지 않은 명령 실행 - 애플리케이션 데이터 읽기 - 보호 메커니즘 우회 ## Mitigations - 외부 프로세스 대신 라이브러리 호출을 사용하세요 - Runtime.exec()를 사용한다면 인수 배열을 받는 버전을 사용하세요 - 데이터와 코드의 분리를 자동으로 강제하는 구조화된 메커니즘을 사용하세요 ## Detection - Total rules: 3 - Critical: 3 - Languages: go, javascript, typescript, python ## Rules by Language ### Go (1 rules) - **Command Injection via os/exec** [CRITICAL]: Detects user input flowing to os/exec command execution, enabling OS command injection. - Remediation: Use exec.Command with explicit arguments and validate input against an allowlist. ```go allowed := map[string]bool{"file1.txt": true, "file2.txt": true} if !allowed[userInput] { return errors.New("not allowed") } cmd := exec.Command("cat", userInput) ``` Learn more: https://shoulder.dev/learn/go/cwe-78/command-injection ### Javascript (1 rules) - **Command Injection via child_process** [CRITICAL]: Detects user input flowing to shell command execution functions. - Remediation: Use execFile() with argument arrays instead of exec() with string commands. ```javascript const { execFile } = require('child_process'); execFile('ls', ['-la', directory]); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-78/command-injection ### Typescript (1 rules) - **Command Injection via child_process** [CRITICAL]: Detects user input flowing to shell command execution functions. - Remediation: Use execFile() with argument arrays instead of exec() with string commands. ```javascript const { execFile } = require('child_process'); execFile('ls', ['-la', directory]); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-78/command-injection ### Python (1 rules) - **OS Command Injection** [CRITICAL]: Detects untrusted user input flowing into operating system command execution functions without proper sanitization. - Remediation: Use subprocess with argument lists and shell=False. ```python subprocess.run(["ping", "-c", "2", ip_address], check=True) ``` Learn more: https://shoulder.dev/learn/python/cwe-78/command-injection