Skip to main content

Command Injection

Description

A system command was successfully executed on your application's system. Command injections happen when a user manages to successfully execute arbitrary commands on the host's operating system by abusing a vulnerable endpoint.

Remediation

To prevent command injection attacks:

  • Never use user-submitted input in shell commands.
  • If supported by your language, add semgrep to your development process to ensure detection of potentially vulnerable system shell calls.
  • Use proper input validation techniques to detect and prevent command injection. Keep in mind the input validation should be implemented in the backend as it will be easily bypassed if done in the frontend.

GraphQL Specific

Apollo

To mitigate command injection vulnerabilities in the Apollo framework engine, ensure that user-supplied input is properly sanitized and validated before being used in any command execution context. Employ whitelisting of allowed commands, use built-in libraries for command execution that abstract the underlying system calls, and avoid constructing shell commands with user input. Additionally, consider using security-focused libraries or modules that are designed to prevent command injection, and regularly update the Apollo framework and its dependencies to incorporate security patches.

Yoga

To prevent command injection vulnerabilities in the Yoga framework engine, ensure that any external input is properly sanitized before being used in a command. Use built-in libraries or functions for command execution that avoid shell interpretation, such as execFile instead of exec in Node.js. Additionally, implement allowlists for system commands that the application is permitted to execute, and validate all inputs against these allowlists. Avoid constructing shell commands with user input, and employ security-focused libraries that are designed to handle command execution safely.

Awsappsync

To mitigate the risk of command injection in AWS AppSync, ensure that all user-supplied input is properly validated and sanitized. Use AWS AppSync's built-in VTL (Velocity Template Language) resolvers to handle data securely, and avoid constructing dynamic queries or commands with user input. Implement strict input validation routines to reject unexpected or malicious data. Additionally, employ the principle of least privilege by assigning minimal permissions necessary for the AppSync functions to operate. Regularly review and update your security policies and practices to protect against emerging threats.

Graphqlgo

To mitigate command injection vulnerabilities in a GraphQL Go framework engine, ensure that all user-supplied input is properly sanitized and validated. Use allowlists for command inputs, employ strict type checking, and avoid using user input directly in shell commands. Additionally, leverage secure coding practices such as using safe APIs that abstract command execution details and provide built-in protections against injection attacks.

Graphqlruby

To prevent command injection in the GraphQL Ruby framework, ensure that any user-supplied input is properly sanitized before being used in system commands. Use allow-lists for command and argument values, employ the built-in argument validation features of GraphQL Ruby to enforce strict type checking, and avoid directly passing user-controlled input to system-level operations. Additionally, consider using higher-level abstractions provided by the framework or the underlying operating system for executing actions instead of spawning system processes directly.

Hasura

To prevent command injection in the Hasura framework, ensure that all user inputs are properly validated and sanitized before being used in any dynamic GraphQL queries or database operations. Use prepared statements with variable binding for all database interactions, and avoid constructing queries with string concatenation. Additionally, employ allow-lists for command inputs where possible, and implement strict access controls to limit the exposure of the GraphQL API to untrusted inputs.

REST Specific

Asp_net

To prevent command injection in ASP.NET, validate all user inputs rigorously to ensure they do not contain malicious content. Employ whitelisting for allowed commands and parameters instead of blacklisting bad inputs. Use secure coding practices such as parameterized APIs or stored procedures for database access, and avoid constructing OS commands with user input. Implement least privilege principles for the application's system access. Regularly update the ASP.NET framework and dependencies to mitigate known vulnerabilities.

Ruby_on_rails

In Ruby on Rails, prevent command injection by avoiding the use of methods that execute system commands with user-supplied input. Instead, use Rails built-in methods or, if system interaction is necessary, employ strong input validation, whitelisting, and the use of Ruby's shellescape method to sanitize user input. Additionally, consider using the Open3 library to capture the stdout and stderr to avoid shell command execution.

Next_js

To prevent command injection in a Next.js application, validate and sanitize all user inputs to ensure they do not contain malicious content. Use built-in secure methods for spawning child processes, such as execFile() with a list of safe parameters, instead of exec(). Avoid using eval() or passing user-controlled data to any system shell command. Implement a strong Content Security Policy (CSP) to reduce the risk of XSS, which can lead to command injection. Regularly update dependencies to mitigate known vulnerabilities.

Laravel

In Laravel, to prevent command injection, avoid using functions that execute system commands directly. Instead, use Laravel's built-in features and libraries that are designed to safely handle user input. If you must execute system commands, use the 'symfony/process' component that comes with Laravel to safely run those commands with proper argument escaping. Always validate and sanitize user input rigorously. Additionally, employ the use of Laravel's authorization and policy features to restrict access to functionalities that could potentially expose your application to command injection attacks.

Express_js

To prevent command injection in Express.js applications, validate and sanitize all user inputs to ensure they do not contain malicious characters or patterns. Use child_process.execFile instead of child_process.exec when executing system commands, as execFile does not spawn a shell by default and requires explicit arguments, reducing the risk of shell parameter injection. Additionally, employ libraries like 'helmet' to enhance security headers and 'express-validator' for input validation. Always keep dependencies up-to-date and follow the principle of least privilege when setting permissions for the application.

Django

In Django, ensure that any system commands executed by your application are using the subprocess module with a list of arguments rather than string concatenation. Always validate and sanitize user input to prevent injection, and consider using Django's built-in template system which automatically escapes context variables, rather than directly passing user input to system commands. Additionally, apply the principle of least privilege by running your application with minimal permissions that are necessary for it to function.

Symfony

In Symfony, to prevent command injection, validate and sanitize all user inputs. Use the Process component to safely execute system commands. Avoid directly passing user input to system functions. Implement strict input validation using Symfony's validation constraints to ensure only expected data is processed.

Spring_boot

In Spring Boot applications, prevent command injection by avoiding the use of Runtime.exec() or ProcessBuilder with user-controlled input. Instead, use Spring's abstraction for executing system processes or, if necessary, whitelist specific commands and rigorously validate any input against this list. Employ strong input validation techniques, and consider using the OWASP Java Encoder for safely encoding user input. Additionally, ensure that the principle of least privilege is applied to the system's execution context to minimize the potential impact of a successful injection.

Flask

To prevent command injection in Flask applications, validate and sanitize all user inputs to ensure they do not contain malicious content. Use the 'shlex' module to escape shell arguments, and avoid using Python's 'os.system' or 'subprocess.Popen' with user-supplied input. Instead, employ 'subprocess' with a list of arguments, and leverage the 'shell=False' option to mitigate the risk of command injection attacks.

Nuxt

To prevent command injection in a Nuxt.js application, validate and sanitize all user inputs rigorously. Avoid using user-controllable data to construct shell commands. If you must execute system commands, use secure methods provided by the framework or underlying Node.js environment, such as child_process.execFile with a list of predefined arguments, rather than exec. Additionally, employ libraries like 'helmet' to enhance security headers and use 'eslint-plugin-security' to identify potential security flaws in your code.

Fastapi

To prevent command injection in FastAPI, validate and sanitize all user inputs rigorously. Use built-in libraries for system operations that avoid shell execution, such as 'subprocess' with 'shell=False'. Implement least privilege principles, and consider using an allowlist for system commands that can be executed if necessary.

Configuration

Identifier: injection/command

Options

  • skip_objects : List of objects that are to be skipped by the security test.

Examples

Ignore this check

checks:
injection/command:
skip: true

Score

  • Escape Severity: HIGH

Compliance

  • OWASP: API10:2023

  • pci: 6.5.1

  • gdpr: Article-32

  • soc2: CC1

  • psd2: Article-95

  • iso27001: A.14.2

  • nist: SP800-53

  • fedramp: AC-6

Classification

  • CWE: 78

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:F/RC:R
  • CVSS_SCORE: 8.5

References