| ||
There are numerous API calls and language constructs across a wide variety of different programming languages that are susceptible to this problem. A good approach to reviewing code for this problem is to first identify every construct that could possibly be used to invoke any kind of command processor (including command shells , a database, or the programming language interpreter itself). Then, look through the program to see if any of those constructs are actually used. If they are, then check to see whether a suitable defensive measure is taken. While defensive measures can vary based on the sin (see, for example, our discussion on SQL injection in Sin 4), one should usually be skeptical of deny- list-based approaches, and favor allow-list approaches (see the Redemption Steps section that follows ).
Here are some of the more popular constructs to be worried about:
Language | Construct | Comments |
---|---|---|
C/C++ | system(), popen(), | Posix |
C/C++ | The ShellExecute() family | Win32 only |
Perl | system | If called as one argument, can |
Perl | exec | Similar to system, except ends |
Perl | backticks(`) | Will generally invoke a shell. |
Perl | open | If the first or last character of the filename is a vertical bar, then Perl opens a pipe instead. This is done by calling out to the shell, and the rest of the filename becomes data passed through the shell. |
Perl | Vertical bar operator | This acts just like the Posix |
Perl | eval | Evaluates the string argument |
Perl | Regular expression /e operator | Evaluates a pattern-matched portion of a string as Perl code. |
Python | exec, eval | Data gets evaluated as code. |
Python | os.system, os.popen | These delegate to the underlying posix calls. |
Python | execfile | This is similar to exec and eval, but takes the data to run from the specified file. If the attacker can influence the contents of the file, the same problem occurs. |
Python | input | Equivalent to eval(raw_input()) ,so this actually executes the user s text as code! |
Python | compile | The intent of compiling text into code is ostensibly that its going to get run! |
Java | Class.forName(String name ), Class.newInstance() | Java byte code can be dynamically loaded and run. In some cases, the code will be sandboxed when coming from an untrusted user (particularly when writing an applet). |
Java | Runtime.exec() | Java attempted to do the secure thing by not giving any direct facility to call a shell. But shells can be so convenient for some tasks that many people will call this with an argument that explicitly invokes a shell. |