# Command Injection (CWE-78) User input is passed unsanitized to system shell commands, allowing attackers to execute arbitrary commands on the server. **Stack:** JavaScript - Prevalence: Common Found in many applications - Impact: Critical Full server compromise - Prevention: Avoid shell Use execFile, not exec **OWASP:** Injection (A03:2021-Injection) - #3 ## Description This could allow attackers to execute unexpected, dangerous commands directly on the operating system. This weakness can lead to a vulnerability in environments in which the attacker does not have direct access to the operating system. ## Prevention Prevention strategies for OS Command Injection based on 1 Shoulder detection rules. ### JavaScript Use execFile/spawn with array arguments instead of exec with string commands ## Warning Signs - [CRITICAL] user input flowing to shell command execution functions ## Consequences - Execute Unauthorized Commands - Read Application Data - Bypass Protection Mechanism ## Mitigations - Use library calls rather than external processes - If using Runtime.exec(), use the version that takes an array of arguments - Use structured mechanisms that automatically enforce separation between data and code ## Detection - Total rules: 3 - Critical: 3 - Languages: go, javascript, typescript, python ## Rules by Language ### Javascript (1 rules) - **Command Injection via child_process** [CRITICAL]: Detects user input flowing to shell command execution functions. - Remediation: Use execFile() with argument arrays instead of exec() with string commands. ```javascript const { execFile } = require('child_process'); execFile('ls', ['-la', directory]); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-78/command-injection ### Typescript (1 rules) - **Command Injection via child_process** [CRITICAL]: Detects user input flowing to shell command execution functions. - Remediation: Use execFile() with argument arrays instead of exec() with string commands. ```javascript const { execFile } = require('child_process'); execFile('ls', ['-la', directory]); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-78/command-injection