# Command Injection via os/exec

- ID: go-command-injection
- Severity: CRITICAL
- CWE: OS Command Injection (CWE-78)
- Languages: Go

## Description

Detects user input flowing to os/exec command execution, enabling OS command injection.

## Detection Message

Untrusted input from {source} reaches command execution at {sink}.
This allows an attacker to execute arbitrary commands on the server.

## Remediation

Use exec.Command with explicit arguments and validate input against an allowlist.

```go
allowed := map[string]bool{"file1.txt": true, "file2.txt": true}
if !allowed[userInput] {
    return errors.New("not allowed")
}
cmd := exec.Command("cat", userInput)
```

Learn more: https://shoulder.dev/learn/go/cwe-78/command-injection

## Documentation

[object Object]

## Related Rules

- **Command Injection via child_process** [CRITICAL]: 
- **OS Command Injection** [CRITICAL]: