Sin 5: Command Injection Summary

  • Do perform input validation on all input before passing it to a command processor.

  • Do handle the failure securely if an input validation check fails.

  • Do not pass unvalidated input to any command processor, even if the intent is that the input will just be data.

  • Do not use the deny-list approach, unless you are 100 percent sure you are accounting for all possibilities.

  • Consider avoiding regular expressions for input validation; instead, write simple and clear validators by hand.

