Unsanitized dynamic input in OS command

Description

Using dynamic input directly in an OS command can allow attackers to perform dangerous commands on the operating system.

Remediations

Think twice if user input is really needed there.

It might be possible to use dynamic hardcoded values:

  let filePattern = "*.js"

if sanitized(filePattern) {
filePattern = "*.gql"
}

cp.exec(`cp ${filePattern} foo`, (error, stdout, stderr) => {});

Resources

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_dynamic_os_command

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_dynamic_os_command