OS commands are security-sensitive. For example, their use has led in the past to the following vulnerabilities:
Applications that execute operating system commands or execute commands that interact with the underlying system should neutralize any
externally-provided input used to construct those commands. Failure to do so could allow an attacker to execute unexpected or dangerous commands,
potentially leading to loss of confidentiality, integrity or availability.
Ask Yourself Whether
- the executed command is constructed by input that is externally-influenced, for example, user input (attacker) (*)
- the command execution is not restricted to the right users (*)
- the application can be redesigned to not rely on external input to execute the command
(*) You are at risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
Restrict the control given to the user over the executed command:
- make the executed command part of a whitelist and reject all commands not part of this list
- sanitize the user input
Restrict which users can have access to the command
- use a firewall to protect the process running the code, and to protect the network from the command
- authenticate the user and allow only some users to run the command
Reduce the damage the command can do:
- execute the code in a sandbox environment that enforces strict boundaries between the operating system and the process. For example: a "jail"
- refuse to run the command if the process has too many privileges. For example: forbid running the code as "root"
See
- MITRE, CWE-78 - Improper Neutralization of Special Elements used in an OS Command
- OWASP Top 10 2017 Category A1 - Injection
- SANS Top 25 - Insecure Interaction Between Components