Command Injection (CWE-78) - Security Vulnerability

Improper Neutralization of Special Elements used in an OS Command

User input is passed unsanitized to system shell commands, allowing attackers to execute arbitrary commands on the server.

普遍性

Common

Found in many applications

影响

Critical

Full server compromise

预防

Avoid shell

Use execFile, not exec

2 预防

如何修复此漏洞

基于 3 条 Shoulder 检测规则的 OS Command Injection 预防策略。

🐹 Go 查看全部 Go 详情 →

Command Injection via os/exec CRITICAL

Use exec.Command with explicit arguments, never shell invocation

+14 -6 go

  package main
  
  import (
      "net/http"
      "os/exec"
- )
- 
- func handler(w http.ResponseWriter, r *http.Request) {
-     cmd := r.URL.Query().Get("cmd")
-     // Vulnerable: shell invocation with user input
-     output, _ := exec.Command("sh", "-c", cmd).Output()
+     "regexp"
+ )
+ 
+ var safePattern = regexp.MustCompile(`^[a-zA-Z0-9._-]+$`)
+ 
+ func handler(w http.ResponseWriter, r *http.Request) {
+     filename := r.URL.Query().Get("file")
+     // Validate input
+     if !safePattern.MatchString(filename) {
+         http.Error(w, "Invalid filename", http.StatusBadRequest)
+         return
+     }
+     // Safe: explicit command with validated argument
+     output, _ := exec.Command("cat", filename).Output()
      w.Write(output)
  }

🟨 JavaScript 查看全部 JavaScript 详情 →

Command Injection via child_process CRITICAL

Use execFile/spawn with array arguments instead of exec with string commands

+5 -5 javascript

- const { exec } = require('child_process');
- 
- app.get('/convert', (req, res) => {
-   const filename = req.query.file;
-   exec(`convert ${filename} output.png`, (err, stdout) => {
+ const { execFile } = require('child_process');
+ 
+ app.get('/convert', (req, res) => {
+   const filename = req.query.file;
+   execFile('convert', [filename, 'output.png'], (err, stdout) => {
      res.send('Converted');
    });
  });

🐍 Python 查看全部 Python 详情 →

OS Command Injection CRITICAL

Use subprocess.run with list arguments and shell=False

+1 -1 python

  import subprocess
  from flask import request
  
  @app.route('/convert')
  def convert():
      filename = request.args.get('file')
-     subprocess.run(f'convert {filename} output.png', shell=True)
+     subprocess.run(['convert', filename, 'output.png'], check=True)
      return 'Done'

3 检测

查找代码中的漏洞

使用Shoulder扫描代码中的Command Injection模式。 3 规则.

终端

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=78

# Or scan entire project
npx @shoulderdev/cli trust .

检测规则 (3)

🐹 Go 1 rules

Command Injection via os/exec CRITICAL

Detects user input flowing to os/exec command execution, enabling OS command injection.

🟨 Javascript 1 rules

Command Injection via child_process CRITICAL

Detects user input flowing to shell command execution functions.

🔷 Typescript 1 rules

Command Injection via child_process CRITICAL

Detects user input flowing to shell command execution functions.

🐍 Python 1 rules

OS Command Injection CRITICAL

Detects untrusted user input flowing into operating system command execution functions without proper sanitization.

4 警告信号

代码审查中需要关注的内容

这些模式表明潜在的Command Injection漏洞。在代码审查和安全审计中注意查找。

🔴

user input flowing to os/exec command execution, enabling OS command injection go-command-injection

🔴

user input flowing to shell command execution functions javascript-command-injection

🔴

untrusted user input flowing into operating system command execution functions without proper saniti python-command-injection

5 代码审计

手动审查模式

手动审查代码时,寻找这些危险模式。

需要搜索的危险信号

query = + 字符串拼接

execute(f"... or execute("..." +

raw_query, rawQuery, executeRaw

${ or #{ 在 SQL 字符串内部

6 专家分析

安全专家的思维方式

安全专业人员审查此漏洞时使用的思维模型。

映射入口点

URL 参数、POST 主体、标头、cookie、文件上传。

跟踪数据流

跟踪输入在代码中的流转。它是否经过净化?

识别汇点

Where queries are executed: execute(), query()

检查信任边界

注意在查询中使用的已存储数据。

🔍

扫描你的代码库: Command Injection

Shoulder CLI 在整个代码库中找到易受攻击的模式。

npx shoulder trust 浏览所有规则