Unsanitized Dynamic input in OS Command

Overview

• Rule ID: javascript_lang_dynamic_os_command

• Applicable Languages: Javascript

• Weakness ID: CWE-78

Description

Incorporating unsanitized dynamic input directly into operating system commands poses a significant security risk. This practice can give attackers the opportunity to execute harmful commands on your system.

Remediation Guidelines

• Do use static, hardcoded values in command strings whenever possible to avoid relying on dynamic data. For example:

  Copy

  let filePattern = "*.js";
  cp.exec(`cp ${filePattern} destinationFolder`, (error, stdout, stderr) => {});
  

• When dynamic input is necessary, sanitize it to ensure it does not contain malicious code. This can be achieved by validating and escaping the input.

References

• OWASP command injection explained

• CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

• OWASP Top 10: A03:2021 - Injection

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL