76520001a7
* Create rule S6350 * Update description * Add code samples * Make stdin more verbose * Make stdin more verbose * Update recommended * Improve description * Extend ask yourself * Add compliant solutions and rename tainted variables * Add input var * Add link to blog post * Use find as example * Update csharp example * Add OWASP Top 10 2021 mapping * add missing message * fix metadata * Use type-safe in_array for PHP Co-authored-by: hendrik-buchwald-sonarsource <hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Hendrik Buchwald <hendrik.buchwald@sonarsource.com> Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: eric-therond-sonarsource <eric.therond@sonarsource.com> Co-authored-by: Roberto Orlandi <71495874+roberto-orlandi-sonarsource@users.noreply.github.com>
9 lines
624 B
Plaintext
9 lines
624 B
Plaintext
Constructing arguments of system commands from user input is security-sensitive. It has led in the past to the following vulnerabilities:
|
|
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9920[CVE-2016-9920]
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29472[CVE-2021-29472]
|
|
|
|
Arguments of system commands are processed by the executed program. The arguments are usually used to configure and influence the behavior of the programs.
|
|
Control over a single argument might be enough for an attacker to trigger dangerous features like executing arbitrary commands or writing files into specific directories.
|
|
|