Unsanitized user input in OS command

• Rule ID: javascript_lang_os_command_injection
• Languages: javascript
• Source: os_command_injection.yml

Description

Executing operating system commands with unsanitized user input can lead to command injection vulnerabilities. This occurs when attackers manipulate the input to execute unauthorized commands, potentially gaining control over the system.

Remediations

• Do not directly use user input in OS command execution. This can open up the system to command injection attacks.
• Do use static or predefined values for command parameters when possible. This reduces the risk of injection and ensures that the command operates within expected parameters.

  let filePattern = "*.js"
  
  if (req.params.graphql) {
    filePattern = "*.gql"
  }
  
  cp.exec(`cp ${filePattern} foo`, (error, stdout, stderr) => {});

• Do validate and sanitize all user input used in OS commands. Ensure that the input does not contain malicious characters or command sequences.

References

• OWASP command injection explained

Associated CWE

• CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

OWASP Top 10

• A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_os_command_injection

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_os_command_injection