Uncontrolled data used in OS command¶
ID: cpp/command-line-injectionKind: path-problemSecurity severity: 9.8Severity: errorPrecision: highTags: - security - external/cwe/cwe-078 - external/cwe/cwe-088Query suites: - cpp-code-scanning.qls - cpp-security-extended.qls - cpp-security-and-quality.qls
Click to see the query in the CodeQL repository
The code passes user input as part of a call tosystem orpopen without escaping special elements. It generates a command line usingsprintf, with the user-supplied data directly passed as a formatting argument. This leaves the code vulnerable to attack by command injection.
Recommendation¶
Use a library routine to escape characters in the user-supplied string before passing it to a command shell.
Example¶
The following example runs an external command in two ways. The first way usessprintf to build a command directly out of a user-supplied argument. As such, it is vulnerable to command injection. The second way quotes the user-provided value before embedding it in the command; assuming theencodeShellString utility is correct, this code should be safe against command injection.
intmain(intargc,char**argv){char*userName=argv[2];{// BAD: a string from the user is injected directly into// a command line.charcommand1[1000]={0};sprintf(command1,"userinfo -v\"%s\"",userName);system(command1);}{// GOOD: the user string is encoded by a library routine.charuserNameQuoted[1000]={0};encodeShellString(userNameQuoted,1000,userName);charcommand2[1000]={0};sprintf(command2,"userinfo -v %s",userNameQuoted);system(command2);}}
References¶
CERT C Coding Standard:STR02-C. Sanitize data passed to complex subsystems.
OWASP:Command Injection.
Common Weakness Enumeration:CWE-78.
Common Weakness Enumeration:CWE-88.