SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-78 OS Command Injection

Coverage: 55 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 55 Also: AI-context engineTaint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.

What this means

SiteShadow flagged code that executes OS commands using untrusted input (directly or as part of a shell string).

Why it matters

Safer examples

1) Avoid shell=True and pass arguments as a list (Python)

import subprocess

subprocess.run(["git", "rev-parse", "--short", "HEAD"], check=True)

2) Prefer execFile/spawn with args (Node)

import { execFile } from "node:child_process";

execFile("git", ["rev-parse", "--short", "HEAD"], (err, stdout) => {
  if (err) throw err;
  console.log(stdout);
});

3) If user input must influence a command, use allowlists

allowed = {"status", "version"}
cmd = cmd if cmd in allowed else "status"
subprocess.run(["mytool", cmd], check=True)

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.