Improper Neutralization of Special Elements used in an OS Command
User input is passed unsanitized to system shell commands, allowing attackers to execute arbitrary commands on the server.
How to fix this vulnerability
Prevention strategies for OS Command Injection based on 3 Shoulder detection rules.
Use exec.Command with explicit arguments, never shell invocation
package main import ( "net/http" "os/exec" - ) - - func handler(w http.ResponseWriter, r *http.Request) { - cmd := r.URL.Query().Get("cmd") - // Vulnerable: shell invocation with user input - output, _ := exec.Command("sh", "-c", cmd).Output() + "regexp" + ) + + var safePattern = regexp.MustCompile(`^[a-zA-Z0-9._-]+$`) + + func handler(w http.ResponseWriter, r *http.Request) { + filename := r.URL.Query().Get("file") + // Validate input + if !safePattern.MatchString(filename) { + http.Error(w, "Invalid filename", http.StatusBadRequest) + return + } + // Safe: explicit command with validated argument + output, _ := exec.Command("cat", filename).Output() w.Write(output) }
Use execFile/spawn with array arguments instead of exec with string commands
- const { exec } = require('child_process'); - - app.get('/convert', (req, res) => { - const filename = req.query.file; - exec(`convert ${filename} output.png`, (err, stdout) => { + const { execFile } = require('child_process'); + + app.get('/convert', (req, res) => { + const filename = req.query.file; + execFile('convert', [filename, 'output.png'], (err, stdout) => { res.send('Converted'); }); });
Use subprocess.run with list arguments and shell=False
import subprocess from flask import request @app.route('/convert') def convert(): filename = request.args.get('file') - subprocess.run(f'convert {filename} output.png', shell=True) + subprocess.run(['convert', filename, 'output.png'], check=True) return 'Done'
Find vulnerabilities in your code
Use Shoulder to scan your codebase for Command Injection patterns. 3 rules.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=78 # Or scan entire project npx @shoulderdev/cli trust .
Detection Rules (3)
What to watch for in code reviews
These patterns indicate potential Command Injection vulnerabilities. Look for these during code reviews and security audits.
Manual review patterns
When reviewing code manually, search for these dangerous patterns.
query = + string concatenationexecute(f"... or execute("..." +raw_query, rawQuery, executeRaw${ or #{ inside SQL stringsHow security experts think
The mental model security professionals use when reviewing for this vulnerability.
Map entry points
URL params, POST bodies, headers, cookies, file uploads.
Trace data flow
Follow input through the code. Does it get sanitized?
Identify sinks
Where queries are executed: execute(), query()
Check trust boundaries
Watch for stored data used in queries.
Scan your codebase for Command Injection
Shoulder CLI finds vulnerable patterns across your entire codebase.