OS Command Injection High

User input influences a system command. This allows a malicious user to inject custom commands and take control of a system. This can be sanitized with shellescape to avoid injection.

Detector ID
ruby/os-command-injection@v1.0
Category
Common Weakness Enumeration (CWE) external icon
Tags
-

Noncompliant example

1class UsersController < ActionController::Base
2  def oscommand_injection_compliant
3    cmd = params[:cmd]
4    # Noncompliant: User data used directly as a command without escaping
5    system(cmd)
6   end
7end

Compliant example

1require "shellwords"
2
3class UsersController < ActionController::Base
4  def oscommand_injection_noncompliant
5    cmd = params[:cmd]
6    safe_cmd = Shellwords.escape(cmd)
7    # Compliant: User data has been escaped
8    system(safe_cmd)
9  end
10end