بنقرة واحدة
sc-cmdi
OS Command Injection detection in shell execution, subprocess calls, and process spawning
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
القائمة
OS Command Injection detection in shell execution, subprocess calls, and process spawning
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
استنادا إلى تصنيف SOC المهني
| name | sc-cmdi |
| description | OS Command Injection detection in shell execution, subprocess calls, and process spawning |
| license | MIT |
| metadata | {"author":"ersinkoc","category":"security","version":"1.0.0"} |
Detects OS command injection vulnerabilities where user-controlled input is passed to system shell commands, subprocess execution, or process spawning functions without proper sanitization. Distinguishes between full command injection (attacker controls the command) and argument injection (attacker controls arguments to a fixed command).
Called by sc-orchestrator during Phase 2. Runs against all detected languages.
**/*.py, **/*.js, **/*.ts, **/*.go, **/*.php, **/*.java, **/*.kt,
**/*.cs, **/*.rb, **/scripts/*, **/*exec*, **/*shell*, **/*command*,
**/*process*, **/*system*, **/*spawn*
# Python
"os.system(", "os.popen(", "subprocess.call(", "subprocess.run(",
"subprocess.Popen(", "subprocess.check_output(", "commands.getoutput(",
"shell=True"
# JavaScript/Node.js
"child_process.exec(", "child_process.execSync(",
"child_process.spawn(", "execFile(", "require('child_process')",
"shelljs", "execa"
# Go
"exec.Command(", "exec.CommandContext(", "os/exec"
# PHP
"exec(", "system(", "passthru(", "shell_exec(", "popen(",
"proc_open(", "pcntl_exec(", "backtick"
# Java
"Runtime.getRuntime().exec(", "ProcessBuilder(",
"new ProcessBuilder("
# C#
"Process.Start(", "ProcessStartInfo(",
"System.Diagnostics.Process"
# Ruby
"system(", "exec(", "IO.popen(", "`"
Sources: HTTP request parameters, file names from uploads, environment variables from user-controlled sources, database values originally from user input.
Sinks: All command execution functions listed above.
Command injection — attacker controls the full command or can inject shell operators:
# VULNERABLE: Full command injection
os.system(f"echo {user_input}") # user_input = "; rm -rf /"
Argument injection — attacker controls arguments to a known-safe binary:
# VULNERABLE: Argument injection
subprocess.run(["git", "clone", user_url]) # user_url = "--upload-pack=evil"
Watch for user input reaching shell with these metacharacters unescaped:
;, |, &, &&, ||, $(), ` `, >, <, \n
# VULNERABLE: shell=True with user input
subprocess.run(f"convert {filename} output.png", shell=True)
# SAFE: Array form without shell
subprocess.run(["convert", filename, "output.png"])
// VULNERABLE: exec uses shell
const { exec } = require('child_process');
exec(`ls ${userDir}`, callback);
// SAFE: execFile does not use shell
const { execFile } = require('child_process');
execFile('ls', [userDir], callback);
// VULNERABLE: User input in shell command via sh -c
cmd := exec.Command("sh", "-c", "echo " + userInput)
// SAFE: Direct execution without shell
cmd := exec.Command("echo", userInput)
// VULNERABLE: String command to Runtime.exec
Runtime.getRuntime().exec("cmd /c dir " + userInput);
// SAFE: Array form
new ProcessBuilder("cmd", "/c", "dir", userInput).start();
// Note: Still risky if userInput contains shell metacharacters and cmd.exe interprets them
// VULNERABLE: User input in system call
system("ping -c 4 " . $_GET['host']);
// SAFE: escapeshellarg
system("ping -c 4 " . escapeshellarg($_GET['host']));
; id or $(whoami) as the {parameter} would execute additional commands.execFile('git', ['status']) with no user inputComprehensive AI-powered security scanning suite with 48 skills covering OWASP Top 10, 7 language-specific deep scanners (Go, TypeScript, Python, PHP, Rust, Java, C#), supply chain analysis, infrastructure-as-code scanning, and 3000+ checklist items. Use when you need to run a security audit, find vulnerabilities, scan a PR for security issues, or perform a penetration test on a codebase.
C#/.NET-specific security deep scan
Go-specific security deep scan
Java/Kotlin-specific security deep scan
PHP-specific security deep scan
Python-specific security deep scan