# Command Injection (CWE-78) User input is passed unsanitized to system shell commands, allowing attackers to execute arbitrary commands on the server. **Stack:** JavaScript - Prevalence: Common Found in many applications - Impact: Critical Full server compromise - Prevention: Avoid shell Use execFile, not exec **OWASP:** Injection (A03:2021-Injection) - #3 ## Description This could allow attackers to execute unexpected, dangerous commands directly on the operating system. This weakness can lead to a vulnerability in environments in which the attacker does not have direct access to the operating system. ## Prevention Estratégias de prevenção para OS Command Injection baseadas em 1 regras de detecção do Shoulder. ### JavaScript Use execFile/spawn with array arguments instead of exec with string commands ## Warning Signs - [CRITICAL] user input flowing to shell command execution functions ## Consequences - Executar comandos não autorizados - Ler dados da aplicação - Burlar mecanismo de proteção ## Mitigations - Use chamadas de biblioteca em vez de processos externos - Se usar Runtime.exec(), utilize a versão que recebe um array de argumentos - Use mecanismos estruturados que apliquem automaticamente a separação entre dados e código ## Detection - Total rules: 3 - Critical: 3 - Languages: go, javascript, typescript, python ## Rules by Language ### Javascript (1 rules) - **Command Injection via child_process** [CRITICAL]: Detects user input flowing to shell command execution functions. - Remediation: Use execFile() with argument arrays instead of exec() with string commands. ```javascript const { execFile } = require('child_process'); execFile('ls', ['-la', directory]); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-78/command-injection ### Typescript (1 rules) - **Command Injection via child_process** [CRITICAL]: Detects user input flowing to shell command execution functions. - Remediation: Use execFile() with argument arrays instead of exec() with string commands. ```javascript const { execFile } = require('child_process'); execFile('ls', ['-la', directory]); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-78/command-injection