Skip to content

Remediate OS Command Injection Vulnerability Detected by GitLab Security Scanner

Security Vulnerability Detection

Source

GitLab Security Vulnerability Report: This vulnerability was automatically detected by GitLab's security scanning tools (SAST).

Vulnerability Details

  • Type: Improper neutralization of special elements used in an OS Command ('OS Command Injection')
  • CWE: CWE-78
  • Severity: High
  • Location: app.py - Admin login functionality

Description

The application was found with instances where user input is unsafely passed to subprocess.run() or related functions, which can lead to command injection vulnerabilities. It specifically looks for cases where shell commands like sh, bash, etc. are executed with user-controlled input.

Command injection is a serious security vulnerability that allows an attacker to execute arbitrary system commands on the host operating system. This can lead to data breaches, data loss, system compromise, and other devastating impacts.

Security Impact

  • Confidentiality: HIGH - Attacker can read sensitive files
  • Integrity: HIGH - Attacker can modify system files
  • Availability: HIGH - Attacker can crash the system
  • Attack Vector: Network
  • Attack Complexity: Low

Remediation Approach

To fix command injection vulnerabilities, user input should never be passed directly to subprocess functions that execute system commands. Instead, use the subprocess module's argument list feature to pass command arguments safely without invoking a shell.

Secure Code Pattern:

import subprocess

user_input = "file.txt"
subprocess.run(["ls", user_input])

Mitigation Guidelines

  • Never pass user input directly to subprocess functions that execute commands
  • Use the argument list feature of subprocess to pass command and arguments safely
  • Validate and sanitize any user input before using it in command execution
  • Remove shell=True parameter from subprocess calls

Identifiers

  • A1:2017 - Injection
  • CWE-78
  • A03:2021 - Injection
  • Bandit Test ID: B604, B602, B603

Acceptance Criteria

  • Remove all instances of shell=True with user input
  • Replace string-based commands with list-based arguments
  • GitLab security scan shows vulnerability as resolved
  • All tests pass with secure implementation
  • Code review confirms secure patterns

Labels

security, vulnerability, sast, remediation