Unsanitized Dynamic input in OS Command

Overview

Rule ID: javascript_lang_dynamic_os_command
Applicable Languages: Javascript
Weakness ID: CWE-78

Description

Incorporating unsanitized dynamic input directly into operating system commands poses a significant security risk. This practice can give attackers the opportunity to execute harmful commands on your system.

Remediation Guidelines

Do use static, hardcoded values in command strings whenever possible to avoid relying on dynamic data. For example:
```
let filePattern = "*.js";
cp.exec(`cp ${filePattern} destinationFolder`, (error, stdout, stderr) => {});
```
When dynamic input is necessary, sanitize it to ensure it does not contain malicious code. This can be achieved by validating and escaping the input.

References

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousUnsanitized dynamic input in file path NextUnsanitized dynamic input in regular expression

Last updated 1 year ago

hashtagOverview

hashtagDescription

hashtagRemediation Guidelines

hashtagReferences

hashtagConfiguration

Overview

Description

Remediation Guidelines

References

Configuration