Unsanitized dynamic input in OS command

• Rule ID: javascript_lang_dynamic_os_command
• Languages: javascript
• Source: dynamic_os_command.yml

Description

Incorporating unsanitized dynamic input directly into operating system commands poses a significant security risk. This practice could give attackers the opportunity to execute harmful commands on your system.

Remediations

• Do use static, hardcoded values in command strings - wherever possible - to avoid relying on dynamic data.

  let filePattern = "*.js";
  cp.exec(`cp ${filePattern} destinationFolder`, (error, stdout, stderr) => {});

• Do sanitize any dynamic input used in OS commands to ensure it does not contain malicious code. This can be achieved by validating and escaping the input.

References

• OWASP command injection explained

Associated CWE

• CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

OWASP Top 10

• A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_dynamic_os_command

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_dynamic_os_command