Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

scala.inject.scala_inject_rule_commandinjection

Severity

low

Resource

Inject

Language

Scala

Description

The highlighted API is used to execute a system command. If unfiltered input is passed to this API, it can lead to arbitrary command execution.

Rationale

The highlighted API is used to execute a system command. If unfiltered input is passed to this API, it can lead to arbitrary command execution.

The following code illustrates a vulnerable pattern detected by this rule:

def danger(cmd: String): Unit = {
  val r = Runtime.getRuntime
  r.exec(cmd)
  r.exec(Array[String]("test"))
  // VULNERABLE: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  r.exec(Array[String]("bash", cmd))
  // VULNERABLE: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  r.exec(Array[String]("/bin/sh", "-c", cmd))
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

CWE-78
OWASP Top 10 2021 - A03 : Injection.