Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Rule ID: go_gosec_injection_subproc_injection
Languages: go
Source: subproc_injection.yml

Description

OS command injection is a severe security vulnerability that occurs when an application incorrectly processes user input. This flaw can allow attackers to execute arbitrary commands on the host operating system, potentially leading to a full system compromise.

Remediations

Prevent OS command injection by adhering to the following practices:

❌ Avoid Direct User Input

Do not use user-supplied information for constructing OS commands or command-line arguments, as this can lead to command injection vulnerabilities.

✅ Implement Input Validation

Ensure that any user input is validated against a set of strict rules to ensure it does not contain malicious characters or patterns.

✅ Use Hardcoded Arguments

When invoking OS commands, use a hardcoded set of arguments to ensure that user input cannot alter the command's behavior.

✅ Utilize Temporary Files Securely

When dealing with files, create temporary files in a restricted directory, avoiding the use of user-supplied filenames.

✅ Employ Native Libraries

Where possible, use native libraries or features of the programming language instead of invoking shell commands, which can be safer and more efficient.

import (
    "io/ioutil"
    "os/exec"
    "log"
)

func main() {
    userData := []byte("user data")

    // Create a temporary file in a secure, application-specific directory
    f, err := ioutil.TempFile("/var/app/restricted", "temp-*.dat")
    if err != nil {
        log.Fatal(err)
    }

    // Write user data to the temporary file
    if _, err := f.Write(userData); err != nil {
        f.Close()
        log.Fatal(err)
    }

    // Close the file handle
    if err := f.Close(); err != nil {
        log.Fatal(err)
    }

    // Execute a command using the temporary file, avoiding direct user input for filenames
    out, err := exec.Command("/bin/cat", f.Name()).Output()
    if err != nil {
        log.Fatal(err)
    }
    // Output can be used for further processing
}

Resources

OWASP OS Command Injection Defense Cheat Sheet

Associated CWE

CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

OWASP Top 10

A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_injection_subproc_injection

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_injection_subproc_injection

Ready to take the next step? Learn more about Bearer Cloud.