Unsanitized user input in OS command

• Rule ID: php_lang_exec_using_user_input
• Languages: php
• Source: exec_using_user_input.yml

Description

Executing OS commands that include user-supplied data can lead to command injection vulnerabilities. This occurs when an application dynamically executes OS commands that an attacker can manipulate through user input.

Remediations

• Do not directly include user input in commands to be executed by the OS. This can allow attackers to inject malicious commands.

  exec($_GET["command"]); // unsafe

• Do use a predefined set of commands instead of directly including user input, if user input has to influence the execution flow.

  if ($_GET["action"] == "option1") {
    $command = "command1";
  } else {
    $command = "command2";
  }
  
  exec($command);

References

• OWASP OS command injection cheat sheet

Associated CWE

• CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

OWASP Top 10

• A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_lang_exec_using_user_input

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_lang_exec_using_user_input