Insecure Use of Dangerous Function

Fixing Command Injection

About Command Injection

What is command injection?

Command injection is a type of security vulnerability that allows an attacker to execute arbitrary commands on a target system. It occurs when an application accepts user input as part of a command or query that is executed by the system without proper validation or sanitization.

For example, consider a web application that allows users to search for products by entering a product name. If the application does not properly sanitize user input and passes the input directly to the operating system's command shell, an attacker can insert malicious code into the input that could be executed by the command shell.

This could result in the attacker gaining unauthorized access to the system or performing other malicious actions.

Check out this video for a high-level explanation:

What is the impact of command injection?

A successful command injection attack can have a wide-ranging impact, depending on the system and the attacker's goals. Here are a few potential impacts:

• Unauthorized access: An attacker may be able to gain unauthorized access to a system or application, giving them access to sensitive data or functionality.
• Data theft: An attacker may be able to steal data from the system, including personally identifiable information, financial data, or other sensitive data.
• Malware installation: An attacker may be able to install malware on the system, allowing them to further compromise the system or use it as a launching point for other attacks.
• Denial of service: An attacker may be able to launch a denial-of-service attack by executing commands that overwhelm the system's resources, or deleting important system files.
• System compromise: In some cases, a successful command injection attack can lead to complete compromise of the system, allowing the attacker to take full control.

How to prevent command injection?

Some measures that can help prevent command injection attacks are:

• Input validation and sanitization: Ensure that user input is validated and sanitized before it is used in any system command. Use regular expressions or input filters to remove or encode any special characters that could be used to execute arbitrary commands.
• Use parameterized queries: When executing commands that include user input, use parameterized queries instead of string concatenation.
• Limit permissions: Limit the permissions of the user account that runs the application to only those that are necessary to perform its functions.
• Perform regular security audits: Regularly audit your system and application for security vulnerabilities, including command injection vulnerabilities. Use automated tools and manual testing to identify potential issues and fix them before they can be exploited.
• Educate your development team: Educate your development team about the risks of command injection attacks and the measures that can be taken to prevent them.

References

Taxonomies

• OWASP Top 10 - A03 Injection
• CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
• CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Explanation & Prevention

• OWASP: Command Injection
• OWASP: Command Injection Cheat Sheet
• Holistic Infosec: Command Injection - Risks
• Holistic Infosec: Command Injection - Countermeasures

Related CVEs

• CVE Details: CWE-77
• CVE Details: CWE-78

Training

• Secure Code Warrior: OS Command Injection

Go offers several ways to execute operating system commands, such as:

• exec.Command()
• exec.CommandContext()
• syscall.Exec()

This vulnerability allows a user to run (usually shell) commands on a host machine. This usually leads to an attacker having full control over the host machine.

This vulnerability occurs when user-controlled input gets passed into a function that allows commands to be executed on the host machine.

Rule-specific references:

• OWASP Information on Command Injection
• OWASP Command Injection Cheatsheet
• exec.Command Docs
• os.StartProcess Docs

Option A: Leverage an Allow-List for Certain Commands

The main way to mitigate this vulnerability in Go is to add certain commands to an allow-list. This means that only commands which are known to be good can be run.

1. Identify the vulnerable patterns (example below):

   func RunCommandEndpoint(resp http.ResponseWriter, req *http.Request) {
       req.ParseMultipartForm(1024)
       command, exists := req.MultipartForm.Value["cmd"]
   
       if !exists || len(command) == 0 {
           http.Error(resp, "Form value 'cmd' is required", 400)
           return
       }
   
       prog := command[0]
       args, exists := req.MultipartForm.Value["args"]
   
       if !exists {
           args = make([]string, 0)
       }
   
       exec.Command(prog, args...)
   }

2. Sanitize the vulnerable pattern by using a set of ok values (example below):

   var allowList map[string]struct{}
   
   func init() {
       allowList = make(map[string]struct{})
       allowList["echo"] = struct{}{}
   }
   
   func RunCommandEndpoint(resp http.ResponseWriter, req *http.Request) {
       req.ParseMultipartForm(1024)
       command, exists := req.MultipartForm.Value["cmd"]
   
       if !exists || len(command) == 0 {
           http.Error(resp, "Form value 'cmd' is required", 400)
           return
       }
   
       prog := command[0]
       args, exists := req.MultipartForm.Value["args"]
   
       if !exists {
           args = make([]string, 0)
       }
   
       if _, ok := allowList[prog]; ok {
           exec.Command(prog, args...)
       }
   }

3. Test it

4. Ship it 🚢 and relax 🌴

Option B: Don't Allow Commands to be Controlled by a User

This solution is fairly simple. It works by removing the ability for user input to be passed into a vulnerable function.

This can be done in a multitude of ways e.g.:

• Have a map of strings to functions
• Separate functionality into different functions
• Use an enum to denote which command to call
• etc.

1. Locate the vulnerable patterns (example below):

   
   func CallOSCommand(userInput string, args ...string) {
         exec.Command(userInput, args...)
   }
   

2. Replace the vulnerable pattern with one of the methods above (example below):

   This example uses an enum to solve the problem

   type OSProgram uint64
   
   const (
       LS OSProgram = iota
       Cat
       Echo
       Grep
   )
   
   func CallOSCommand(program OSProgram, args ...string) {
       switch program {
       case LS:
           exec.Command("ls", args...)
       case Cat:
           exec.Command("cat", args...)
       case Echo:
           exec.Command("echo", args...)
       case Grep:
           exec.Command("grep", args...)
     }
   }

3. Test it

4. Ship it 🚢 and relax 🌴