CWE-77 Command Injection
Coverage: 5 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 5 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow flagged a pattern where untrusted input may be interpreted by a shell or command parser, allowing an attacker to alter the command being executed.
Why it matters
Attackers can run arbitrary system commands.
- RCE risk: compromise the host running the service.
- Credential theft: environment/config files and cloud metadata can be stolen.
- Lateral movement: compromised hosts are often used to pivot internally.
Safer examples
1) Don't build shell strings; pass arguments as arrays
import subprocess
subprocess.run(["git", "status"], check=True)
2) Avoid shell=True / shell execution
If you must use shell features, strictly allowlist inputs and isolate execution.
3) Use allowlists for user-controlled command choices
const allowed = new Set(["status", "version"]);
const cmd = allowed.has(req.query.cmd) ? req.query.cmd : "status";
How SiteShadow detects it (high level)
- Looks for command execution APIs and flags when request-derived data flows into command strings/args.
- Treats shell-string execution as higher risk than argument arrays.
References
- CWE-77: https://cwe.mitre.org/data/definitions/77.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.