ajinabraham.njsscan.exec_os_command.generic_os_command_exec2
1,129
Download Count*
License
User controlled data in 'child_process.exec()' can result in Remote OS Command Execution.
Run Locally
Run in CI
Defintion
rules:
- id: generic_os_command_exec2
patterns:
- pattern-inside: |
var {$EXEC} = require('child_process')
...
- pattern-inside: |
$APP.$METHOD(..., function $FUNC($REQ, $RES, ...){ ... })
- pattern-either:
- pattern: |
exec(..., <... $REQ.$QUERY.$VAR ...>, ...)
- pattern: |
exec(..., <... $REQ.$QUERY ...>, ...)
- pattern: |
execSync(..., <... $REQ.$QUERY.$VAR ...>, ...)
- pattern: |
execSync(..., <... $REQ.$QUERY ...>, ...)
- pattern: |
$INP = <... $REQ.$QUERY.$VAR ...>;
...
exec(..., <... $INP ...>, ...)
- pattern: |
$INP = <... $REQ.$QUERY ...>;
...
exec(..., <... $INP ...>, ...)
- pattern: |
$INP = <... $REQ.$QUERY ...>;
...
execSync(..., <... $INP ...>, ...)
- pattern: |
$INP = <... $REQ.$QUERY.$VAR ...>;
...
execSync(..., <... $INP ...>, ...)
message: User controlled data in 'child_process.exec()' can result in Remote OS
Command Execution.
languages:
- javascript
severity: ERROR
metadata:
owasp: "A1: Injection"
cwe: "CWE-78: Improper Neutralization of Special Elements used in an OS Command
('OS Command Injection')"
Short Link: https://sg.run/Klzj