SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-77 Command Injection

Coverage: 5 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 5 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.

What this means

SiteShadow flagged a pattern where untrusted input may be interpreted by a shell or command parser, allowing an attacker to alter the command being executed.

Why it matters

Attackers can run arbitrary system commands.

Safer examples

1) Don't build shell strings; pass arguments as arrays

import subprocess
subprocess.run(["git", "status"], check=True)

2) Avoid shell=True / shell execution

If you must use shell features, strictly allowlist inputs and isolate execution.

3) Use allowlists for user-controlled command choices

const allowed = new Set(["status", "version"]);
const cmd = allowed.has(req.query.cmd) ? req.query.cmd : "status";

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.