# Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

- Prevalence: 高 无 Shoulder 规则
- Impact: 高 OWASP Top 10 #3
- Prevention: 查看 MITRE 外部参考

**OWASP:** Injection (A03:2021-Injection) - #3

## Description

Command injection vulnerabilities typically occur when data enters the application from an untrusted source, the data is part of a string that is executed as a command by the application, and the execution of the command allows the attacker to execute commands that they would not normally be able to execute.

## Prevention

## Consequences

- 执行未授权命令
- 读取应用程序数据
- 修改应用程序数据
- 拒绝服务 (DoS)

## Mitigations

- 使用库调用而不是外部进程来实现所需功能
- 在强制执行严格边界的沙箱环境中运行代码
- 使用经过审查的库或框架,以防止此弱点