Avoid command injection

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

ID: go-security/command-injection

Language: Go

Severity: Warning

Category: Security

CWE: 78

Description

In Go, the exec.Command function is used to run external commands. Using this function carelessly can lead to command injection vulnerabilities.

Command injection occurs when untrusted input is passed directly to a system shell, allowing an attacker to execute arbitrary commands. This can result in unauthorized access to the system, data leaks, or other security breaches.

Avoid executing commands constructed using user-provided data, or if you must, always validate and sanitize user inputs before passing them to exec.Command.

Non-Compliant Code Examples

import (
	"context"
	"os"
	"os/exec"
)

func main() {
	directory := os.Args[1]
	ctx := context.Background()
	cmd := exec.CommandContext(ctx, "/bin/ls", directory)
	output, err := cmd.CombinedOutput()
}

import (
	"os"
	"os/exec"
)

func main() {
	directory1 := os.Args[1]
	directory2 := os.Args[2]
	cmd := exec.Command("/bin/ls", directory1, directory2)
	output, err := cmd.CombinedOutput()
}

Compliant Code Examples

import (
    "os/exec"
)

func main () {
    res, err := exec.Command("/bin/ls", "something")
}

import (
    "context"
    "os/exec"
)

func main () {
    ctx := context.Background()
    res, err := exec.CommandContext(ctx, "/bin/ls")
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Security

Datadog Code Security
PREVIEWING: guillaume.barrier/ERRORT-5095-general-doc-update