Unsanitized user input in code generation

Overview

Rule ID: java_lang_code_injection
Applicable Languages: Java
Weakness ID: CWE-94

Description

Allowing user input to directly influence code generation or scripting functions without proper sanitization can result in code injection vulnerabilities. This occurs when attackers inject malicious code into your application, enabling unauthorized actions or unauthorized access to data when executed.

Remediation Guidelines

Avoid passing unsanitized user input to functions or methods that dynamically execute code.
Always validate or sanitize input to prevent the inclusion of harmful code before utilizing it in such contexts.

References

OWASP Code injection
CWE-94: Improper Control of Generation of Code ('Code Injection')
A03:2021 - Injection

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousUnsanitized user input in AWS query NextUnsanitized user input in deserialization method

Last updated 8 months ago