Command Injection
Let’s look at Command Injection by itself for now. We’re mostly going to focus on a few different examples so it’s easier to see what it looks like in action. So, as a quick refresher, Command Injection vulnerabilities occur when user input uses part of an operating system command, like the following function:
let ip = request.params.ipAddress;
system("ping " + ip);
If a user provides the IP address, we’ll use `8.8.8.8` as an example, the command that gets executed will be `ping 8.8.8.8`, which does exactly what one would expect. However, if the user provides `8.8.8.8 && ls /etc/` this command wouldn’t just ping the IP 8.8.8.8, but it’ll also run `ls` on the `/etc/ folder.
Mitigation
Given the severity of a command injection attack, there are some important questions you need to ask first when working with system commands:
- Do you really need to invoke that command? The best defense is to not ever invoke system commands
- Are there any libraries/bindings that allow you to achieve the same effect without the use of a system command?
- Can you pass data into the process through Standard In, instead of the command itself?
If these things aren’t possible, parameterization is important.
Examples
Here are a few examples in various languages to help show how this looks in practice.
Without the use of parameterization, this is vulnerable to Command Injection.
string folder = "/tmp/ && ifconfig";
string cmd = "\"ls " + folder +"\"";
// INSECURE: Executes both the `ls` and `ifconfig` command
System.Diagnostics.Process.Start("bash", "-c " + cmd);
C# - secure
By providing the command as a list of parameters, the command is parameterized and protected against Command Injection.
string folder = "/tmp/ && ifconfig";
List<string> arguments = new List<string>() {"-c", "ls", folder};
// SECURE: Does not execute ifconfig command
System.Diagnostics.Process.Start("bash", arguments);
Java - Insecure
Without the use of parameterization, this is vulnerable to Command Injection.
String folder = "/tmp/ && ifconfig";
// INSECURE: Executes both the `ls` and `ifconfig` command
ProcessBuilder b = new ProcessBuilder("bash -c ls " + folder);
Process p = pb.start();
Java - Secure
By providing the command as a list of parameters, the command is parameterized and protected against Command Injection.
String folder = "/tmp/ && ifconfig";
// SECURE: Does not execute ifconfig command
ProcessBuilder b = new ProcessBuilder("bash", "-c", "ls", folder);
Process p = pb.start();
Javascript - Insecure
Without the use of parameterization, this is vulnerable to Command Injection.
const { exec } = require("child_process");
const folder = "/tmp/ && ifconfig";
// INSECURE: Executes both the `ls` and `ifconfig` command
const ls = exec("bash -c ls " + folder, (error, stdout, stderr) => {
console.log(`stdout: ${stdout}`);
});
Javascript - Secure
const { spawn } = require("child_process");
const folder = "/tmp/ && ifconfig";
// SECURE: Does not execute ifconfig command
const ls = spawn("bash", ["-c", "ls", folder]);
ls.stdout.on("data", data => {
console.log(`stdout: ${data}`);
});
Python - Insecure
Without the use of parameterization, this is vulnerable to Command Injection.
import subprocess
folder = "/tmp/ && ifconfig"
# INSECURE: Executes both the `ls` and `ifconfig` command
subprocess.run("bash -c ls " + folder, shell=True)
Python - Secure
By providing the command as a list of parameters, the command is parameterized and protected against Command Injection.
import subprocess
folder = "/tmp/ && ifconfig"
# SECURE: Does not execute ifconfig command
subprocess.run(["bash", "-c", "ls", folder])
Developer-driven coding.
Securely.
Contact us today and make software security an intrinsic part of your development process.
