Unsanitized external input in code generation

Description

Allowing external input (dynamic or user-controlled) to directly influence code generation or scripting functions without proper sanitization can lead to code injection vulnerabilities. This occurs when an attacker is able to insert malicious code into your application, which is then executed, potentially leading to unauthorized actions or data access.

Remediations

  • Do not pass unsanitized external input to functions or methods that dynamically execute code.
  • Do always validate or sanitize input to ensure it does not contain harmful code before using it in such contexts.

References

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=python_lang_code_injection

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=python_lang_code_injection