OS command injection vulnerability detected.

Rule ID: javascript_lang_os_command_injection
Languages: javascript
Source: os_command_injection.yml

Description

Using external or user-defined input directly in an OS command can allow attackers to perform dangerous commands on the operating system.

Remediations

Think twice if user input is really needed there.

It might be possible to use dynamic hardcoded values:

  let filePattern = "*.js"

  if req.params.graphql {
    filePattern = "*.gql"
  }

  cp.exec(`cp ${filePattern} foo`, (error, stdout, stderr) => {});

Resources

OWASP command injection explained

Associated CWE

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

OWASP Top 10

A03:2021 - Injection

Ready to take the next step? Join the Bearer Cloud waitlist.