CWE-78 OS Command Injection

What this means

SiteShadow flagged code that executes OS commands using untrusted input (directly or as part of a shell string).

Why it matters

• Remote code execution: attackers can run arbitrary commands as your service user.
• Credential theft: environment variables, config files, and cloud metadata can be exfiltrated.
• Lateral movement: once a host is compromised, it can be used to pivot into your network.

Safer examples

1) Avoid shell=True and pass arguments as a list (Python)

import subprocess

subprocess.run(["git", "rev-parse", "--short", "HEAD"], check=True)

2) Prefer execFile/spawn with args (Node)

import { execFile } from "node:child_process";

execFile("git", ["rev-parse", "--short", "HEAD"], (err, stdout) => {
  if (err) throw err;
  console.log(stdout);
});

3) If user input must influence a command, use allowlists

allowed = {"status", "version"}
cmd = cmd if cmd in allowed else "status"
subprocess.run(["mytool", cmd], check=True)

How SiteShadow detects it (high level)

• Looks for command execution APIs (os.system, subprocess.*, child_process.exec, PowerShell invocation).
• Flags when user-controlled input is used in command strings/args (request params/body/query, env, CLI args).
• Treats shell=True / shell-string execution as higher risk than argument arrays.

References

• CWE-78: https://cwe.mitre.org/data/definitions/78.html

---

← Back to Vulnerability Library