Unsanitized user input in OS command

• Rule ID: javascript_lang_os_command_injection
• Languages: javascript
• Source: os_command_injection.yml

Description

Using external or user-defined input directly in an OS command can allow attackers to perform dangerous commands on the operating system.

Remediations

Think twice if user input is really needed there.

It might be possible to use dynamic hardcoded values:

  let filePattern = "*.js"

  if req.params.graphql {
    filePattern = "*.gql"
  }

  cp.exec(`cp ${filePattern} foo`, (error, stdout, stderr) => {});

Resources

• OWASP command injection explained

Associated CWE

• CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

OWASP Top 10

• A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_os_command_injection

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_os_command_injection