Overview
- Bug Type:
- Command injection
- Category:
- Security
Definition
Untrusted input reaches a shell/OS command, allowing arbitrary command execution.
How to fix Command injection?
Prefer APIs that bypass the shell (exec without shell, library calls); strict allowlists for arguments; escape only as defense-in-depth; drop privileges
Symptoms
Observable signs that may indicate Command injection:
- Shell errors when user input contains separators like `&&`, `|`, `;`, or backticks.
- Unexpected files/processes created by requests containing crafted arguments.
- Behavior differences when input includes wildcard or redirection characters.
Example Errors:
- sh: 1: cannot open …: Permission denied
- bash: syntax error near unexpected token `;'
- The system cannot find the file specified (Windows)