Unsanitized Dynamic input in OS Command

Overview

Rule ID: javascript_lang_dynamic_os_command
Applicable Languages: Javascript
Weakness ID: CWE-78

Description

Incorporating unsanitized dynamic input directly into operating system commands poses a significant security risk. This practice can give attackers the opportunity to execute harmful commands on your system.

Remediation Guidelines

Do use static, hardcoded values in command strings whenever possible to avoid relying on dynamic data. For example:
```
let filePattern = "*.js";
cp.exec(`cp ${filePattern} destinationFolder`, (error, stdout, stderr) => {});
```
When dynamic input is necessary, sanitize it to ensure it does not contain malicious code. This can be achieved by validating and escaping the input.

References

Configuration

PreviousUnsanitized dynamic input in file path NextUnsanitized dynamic input in regular expression

Last updated 9 months ago