Unsanitized user input in code generation

• Rule ID: java_lang_code_injection
• Languages: java
• Source: code_injection.yml

Description

Allowing user input to directly influence code generation or scripting functions without proper sanitization can lead to code injection vulnerabilities. This occurs when an attacker is able to insert malicious code into your application, which is then executed, potentially leading to unauthorized actions or data access.

Remediations

• Do not pass unsanitized user input to functions or methods that dynamically execute code.
• Do always validate or sanitize input to ensure it does not contain harmful code before using it in such contexts.

References

• OWASP Code injection

Associated CWE

• CWE-94: Improper Control of Generation of Code ('Code Injection')

OWASP Top 10

• A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_code_injection

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_code_injection