Unsanitized user input in OS command
- Rule ID: javascript_lang_os_command_injection
- Languages: javascript
- Source: os_command_injection.yml
Description
Using external or user-defined input directly in an OS command can allow attackers to perform dangerous commands on the operating system.
Remediations
Think twice if user input is really needed there.
It might be possible to use dynamic hardcoded values:
let filePattern = "*.js"
if req.params.graphql {
filePattern = "*.gql"
}
cp.exec(`cp ${filePattern} foo`, (error, stdout, stderr) => {});
Resources
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=javascript_lang_os_command_injection
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=javascript_lang_os_command_injection