OS command injection vulnerability detected.

• Rule ID: javascript_aws_lambda_os_command_injection
• Languages: javascript
• Source: os_command_injection.yml

Description

Using external or user-defined input directly in an OS command can allow attackers to perform dangerous commands on the operating system.

Remediations

Think twice if user input is really needed there.

It might be possible to use dynamic hardcoded values:

exports.handler = async (event) => {
    let filePattern = "*.js"

    if event["graphql"] {
      filePattern = "*.gql"
    }

    cp.exec(`cp ${filePattern} foo`, (error, stdout, stderr) => {});
};

Resources

• OWASP command injection explained

Associated CWE

• CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

OWASP Top 10

• A03:2021 - Injection