I01 Injection Risk Patterns

What this means

SiteShadow flagged "injection-shaped" code patterns where untrusted input may be interpreted as code, a query, a command, or a template.

Why it matters

Injection often turns user input into instructions.
Outcomes range from data leaks (SQL/NoSQL injection) to RCE (command/code injection).
Even "internal tools" become attack surfaces once exposed via automation, cron jobs, or webhooks.

Safer examples

await db.query("SELECT * FROM users WHERE id = $1", [id]);

# Bad: eval(user_input)
# Good: parse and validate a known format instead
value = int(user_input)

subprocess.run(["convert", "--", input_path, output_path], check=True)

Detects dangerous sinks (SQL execution, shell execution, dynamic evaluation, template/DOM sinks).
Requires untrusted sources in context (request params/body/query, env, network input) to reduce false positives.
Uses language-aware heuristics for common frameworks when possible.

References

---