DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Go

Go

Made by DeepSource
Use Analyzer

Audit required: Command injection from user-controlled sources GO-S1015

Security
Major
 a03 cwe-78 sans top 25 owasp top 10

A command invocation (os/exec) built from user-provided data without sufficient sanitization may run commands to exfiltrate data or compromise the system. It is recommended to either avoid using the user-provided data directly in command invocations or sanitize them before use.

Recommendations to avoid such attacks: - Sanitize the user-input before command construction - Use hard-coded string literals to specify the commands to run - Based on the user-input, select trusted hard-coded commands

Bad practice

func executor(req *http.Request) {
    cmdQ := req.URL.Query()["cmd"][0]

    // NOTE: cmdQ contains the value (at index 0) of "cmd" key
    // parsed from the raw query (request).
    // An attacker could manipulate this to pass an unsafe URL
    // such that cmdQ gets a command to run that's could compromise
    // the system.
    cmd := exec.Command(cmdQ)
    cmd.Run()
}

The function extracts the name of a system command from the request parameter and then runs it without any scrutiny, which can cause a command injection vulnerability.

Recommended

func executor(req *http.Request) {
    cmdQ := req.URL.Query()["cmd"][0]

    // NOTE: There are other methods as well to make this is safer
    // function.
    switch cmdQ {
    case "a":
        // Keep as it is
    case "b":
        // Modify
        cmdQ = "app2"
    case "<something unsafe":
        // Executing "true" is harmless as it just returns
        // true
        cmdQ = "true"
    default:
        // Do something
    }

    cmd := exec.Command(cmdQ)
    cmd.Run()
}

References