Unsanitized user input in code generation

Description

The use of external input in scripting functions is bad security practice as it could lead to code injection attacks, where an attacker passes malicious code, that is then run by the application with potentially harmful results.

Remediations

❌ Never pass raw user input to functions and methods that are dynamically invoked

References

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_code_injection

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_code_injection

Ready to take the next step? Learn more about Bearer Cloud.