Unsanitized external input in code execution

• Rule ID: go_gosec_subproc_subproc
• Languages: go
• Source: subproc.yml

Description

Unsanitized external input in code execution can result in code injection. This vulnerability arises when external or user-provided data is directly used in the execution flow of a program without proper sanitization, potentially leading to unauthorized actions or access.

Remediations

• Do not pass unsanitized external input directly to execution functions. This practice can introduce code injection vulnerabilities.
• Do implement thorough input validation. Ensure all external input is checked against a strict set of rules to verify it does not contain harmful characters or patterns.

References

• OWASP Code injection explained

Associated CWE

• CWE-94: Improper Control of Generation of Code ('Code Injection')

OWASP Top 10

• A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_subproc_subproc

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_subproc_subproc