OeditusCredo.Check.Security.OSCommandInjection (OeditusCredo v0.6.3)

View Source

Basics

This check is disabled by default.

Learn how to enable it via .credo.exs.

This check has a base priority of higher and works with any version of Elixir.

Explanation

Detects potential OS command injection vulnerabilities (CWE-78).

Passing user-controlled input to system command functions can allow attackers to execute arbitrary OS commands.

Bad:

System.cmd(user_input, [])
System.shell("ls " <> user_input)
:os.cmd(String.to_charlist(params["cmd"]))

Good:

System.cmd("ls", ["-la", safe_dir])
# Always use literal command names with System.cmd

Check-Specific Parameters

Use the following parameters to configure this check:

:exclude_test_files

Set to true to skip test files (default: false)

This parameter defaults to nil.

General Parameters

Like with all checks, general params can be applied.

Parameters can be configured via the .credo.exs config file.