CWE Rule 78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Since R2024a
Description
Rule Description
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Polyspace Implementation
The rule checker checks for these issues:
- Execution of externally controlled command 
- Unsafe call to a system function 
Examples
This issue occurs when commands are fully or partially constructed from externally controlled input.
Attackers can use the externally controlled input as operating system commands, or arguments to the application. An attacker could read or modify sensitive data can be read or modified, execute unintended code, or gain access to other aspects of the program.
Validate the inputs to allow only intended input values. For example, create a list of acceptable inputs and compare the input against this list.
By default, Polyspace® assumes that data from external sources are tainted. See Sources of Tainting in a Polyspace Analysis. To consider
                any data that does not originate in the current scope of Polyspace analysis as
                tainted, use the command line option -consider-analysis-perimeter-as-trust-boundary.
#include "stdlib.h"
#include "stdio.h"
#include "string.h"
#include "unistd.h"
#include "dlfcn.h"
#include "limits.h"
#define MAX 128
void taintedexternalcmd(void)
{
	char* usercmd;
	fgets(usercmd,MAX,stdin);
	char cmd[MAX] = "/usr/bin/cat ";
	strcat(cmd, usercmd);
	system(cmd);//Noncompliant 
}This example function calls a command from a user input without checking the command variable.
One possible correction is to use a
            switch statement to run a predefined command, using the user input as
          the switch variable. This corrected code also replaces the call to
            system() using calls to execve(), which is less
          unsafe.
#define _XOPEN_SOURCE
#define _GNU_SOURCE
#include "stdlib.h"
#include "stdio.h"
#include "string.h"
#include "unistd.h"
#include "dlfcn.h"
#include "limits.h"
enum {
    SIZE10  =  10,
    SIZE100 = 100,
    SIZE128 = 128
};
enum { CMD0 = 1, CMD1, CMD2 };
void taintedexternalcmd(void)
{
    int usercmd = strtol(getenv("cmd"), NULL, 10);
    char *argv[3];
    char cmd[SIZE128] = "/usr/bin/cat";
    char arg[SIZE10];
    switch(usercmd) {
        case CMD0:
            strcpy(arg, "*.c");
            break;
        case CMD1:
            strcpy(arg, "*.h");
            break;
        case CMD2:
            strcpy(arg, "*.cpp");
            break;
        default:
            strcpy(arg, "*.c");
    }
    argv[0] = cmd;
    argv[1] = arg;
    argv[2] = NULL;
    execve(cmd, argv, NULL);
    // If execve returns, there was an error
    perror("execve");
    exit(EXIT_FAILURE);
}This issue occurs when you use a function that invokes an implementation-defined command processor. These functions include:
- The C standard - system()function.
- The POSIX - popen()function.
- The Windows® - _popen()and- _wpopen()functions.
If the argument of a function that invokes a command processor is not sanitized, it can cause exploitable vulnerabilities. An attacker can execute arbitrary commands or read and modify data anywhere on the system.
Do not use a system-family function to invoke a command processor.
        Instead, use safer functions such as POSIX execve() and WinAPI
          CreateProcess(). 
# include <string.h>
# include <stdlib.h>
# include <stdio.h>
# include <unistd.h>
enum { 
SIZE512=512,
SIZE3=3};
void func(char *arg)
{
	char buf[SIZE512];
	int retval=sprintf(buf, "/usr/bin/any_cmd %s", arg);
	
	if (retval<=0 || retval>SIZE512){
		/* Handle error */
		abort();
	}
	/* Use of system() to pass any_cmd with 
	unsanitized argument to command processor */
	
	if (system(buf) == -1) { //Noncompliant
	/* Handle error */
  }
} In this example, system() passes its argument to the host environment
        for the command processor to execute. This code is vulnerable to an attack by
        command-injection.
execve()In the following code, the argument of any_cmd is sanitized, and
          then passed to execve() for execution. exec-family
          functions are not vulnerable to command-injection attacks.
# include <string.h>
# include <stdlib.h>
# include <stdio.h>
# include <unistd.h>
enum { 
SIZE512=512,
SIZE3=3};
void func(char *arg)
{
  char *const args[SIZE3] = {"any_cmd", arg, NULL};
  char  *const env[] = {NULL}; 
  
  /* Sanitize argument */
  
  /* Use execve() to execute any_cmd. */
  if (execve("/usr/bin/time", args, env) == -1) { 
    /* Handle error */
  }
} Check Information
| Category: Data Neutralization Issues | 
Version History
Introduced in R2024a
See Also
External Websites
MATLAB Command
You clicked a link that corresponds to this MATLAB command:
Run the command by entering it in the MATLAB Command Window. Web browsers do not support MATLAB commands.
Select a Web Site
Choose a web site to get translated content where available and see local events and offers. Based on your location, we recommend that you select: .
You can also select a web site from the following list
How to Get Best Site Performance
Select the China site (in Chinese or English) for best site performance. Other MathWorks country sites are not optimized for visits from your location.
Americas
- América Latina (Español)
- Canada (English)
- United States (English)
Europe
- Belgium (English)
- Denmark (English)
- Deutschland (Deutsch)
- España (Español)
- Finland (English)
- France (Français)
- Ireland (English)
- Italia (Italiano)
- Luxembourg (English)
- Netherlands (English)
- Norway (English)
- Österreich (Deutsch)
- Portugal (English)
- Sweden (English)
- Switzerland
- United Kingdom (English)