d3cfe19d7e
Co-authored-by: Marco Borgeaud <89914223+marco-antognini-sonarsource@users.noreply.github.com>
29 lines
907 B
Plaintext
29 lines
907 B
Plaintext
==== Neutralize special characters
|
|
|
|
If the application is to execute complex commands that cannot be controlled
|
|
thanks to pre-approved lists, the cleanest approach is to use special
|
|
sanitization components, such as `{sanitizationLib}`.
|
|
|
|
The library helps you to get rid of common dangerous characters, such as:
|
|
|
|
* `&`
|
|
* `|`
|
|
* `;`
|
|
* `$`
|
|
* `>`
|
|
* `<`
|
|
* `++`++`
|
|
* `++\++`
|
|
* `!`
|
|
|
|
|
|
If user input is to be included in the arguments of a command, the application
|
|
must ensure that dangerous options or argument delimiters are neutralized. +
|
|
Argument delimiters count `'`, `-` and spaces.
|
|
|
|
For example, the `find` command from UNIX supports the dangerous argument
|
|
`-exec`. +
|
|
In this case, option processing can be terminated with a string containing `--`
|
|
or with special options. For example, `git` supports
|
|
`--end-of-options` https://github.blog/2019-11-03-highlights-from-git-2-24/#tidbits[since its version 2.24].
|