Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2076

OS commands should not be vulnerable to command injection attacks

    Details

    • Message:
      Change this code to not construct the OS command from user-controlled data.
    • Default Severity:
      Blocker
    • Impact:
      High
    • Likelihood:
      High
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      C, C++, Cobol, JavaScript, Objective-C, VB.Net, VB6
    • Covered Languages:
      ABAP, C#, Java, PHP, Python
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      30min
    • Analysis Level:
      Abstract Interpretation
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-78, CWE-77, CWE-88
    • OWASP:
      A1
    • SANS Top 25:
      Insecure Interaction Between Components
    • FindSecBugs:
      COMMAND_INJECTION

      Description

      Applications that allow execution of operating system commands from user-controlled data should control the command name to execute, otherwise an attacker can inject arbitrary commands which will compromised the underlying operating system.

      The mitigation strategy can be based on a list of authorized and safe commands to execute and when a shell is spawned to sanitize shell meta-characters.

      See

        Attachments

          Issue Links

          1.
          ABAP RSPEC-2811 Language-Specification Active Unassigned
          2.
          C# RSPEC-4641 Language-Specification Active Unassigned
          3.
          Java RSPEC-5173 Language-Specification Active Unassigned
          4.
          PHP RSPEC-5397 Language-Specification Active Unassigned
          5.
          Python RSPEC-5698 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                ann.campbell.2 Ann Campbell
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: