command-injectionlisted

# Command Injection Detection ## When to Use Audit any package that wraps CLI tools, runs build commands, processes files via external programs, or interfaces with git/ffmpeg/imagemagick/pandoc/etc. CVSS is typically CRITICAL 9.8 for confirmed RCE. ## Key Distinctions ### Command Injection vs Argument Injection - **Command injection**: Attacker breaks out of the intended command entirely (`; rm -rf /`) - **Argument injection**: Attacker adds flags to the intended command (`--upload-pack=malicious`) - Both are reportable. Command injection is CRITICAL, argument injection is HIGH. ### Shell vs No-Shell Execution - **Shell execution** (exec, system, os.popen): Command string passed to shell interpreter. Metacharacters (`;`, `|`, `&&`, backticks, `$()`) are interpreted. DANGEROUS. - **Direct execution** (execFile, spawn without shell, subprocess with list args): Arguments passed directly to the program. No shell interpretation. SAFER but argument injection may still work. ## Process ### Step 1: Find Shell Execution Sinks ``` # JavaScript/TypeScript — look for child_process usage grep -rn "child_process" . grep -rn "\.exec\('" . grep -rn "\.execSync\(" . grep -rn "spawn.*shell.*true" . grep -rn "shelljs" . # Python grep -rn "os\.system\|os\.popen" . grep -rn "subprocess.*shell.*True" . grep -rn "commands\.getoutput\|commands\.getstatusoutput" . # Go grep -rn 'exec\.Command.*"bash"\|exec\.Command.*"sh"' . # Ruby grep -rn "system(\|%x{" . --include="*.rb" grep -rn "IO\.p