Escapeshellarg for php for execution system call like exec($cmd)

$cmd .= "1' \"".escapeshellarg.($argc1)"\" > tmp && mv -f tmp \"".escapeshellarg($argc2)."\"";

Why always suggest with exec(“cmd”.escapeshellarg($arg));

syslog(LOG_ALERT, htmlspecialchars($IP) . htmlspecialchars($port) . '): ’ . htmlspecialchars($msg));
Is it an issue when all the parameters are sanitized.

Hello @sumank.sonar, and welcome to the community.

Can you elaborate a bit on what your concern is? What features are you describing?
Can you explain your example a little more?


The feature is to execute a system command using exec(“Command name”) in php.
Line 1. $cmd = “1’ "”.escapeshellarg.($argc1)“" > tmp && mv -f tmp "”.escapeshellarg($argc2).“"”;
Line 2. exec($cmd)
In line 1 I already sanitized the user input argument but still showed vulnerability in Line2 with suggestions to use “exec($cmd,escapeshellarg($argc2))”

Another concern:
I have to provide a system log based on specific condition.

  1. syslog(LOG_ALERT, htmlspecialchars($IP) . htmlspecialchars($port) . '): ’ . htmlspecialchars($msg));
    Sonar suggest the complint solution:

Compliant Solution

$data = $_GET[“data”]; $badchars = array(“\n”, “\r”, “\t”); $safedata = str_replace($badchars, “”, $data); error_log($safedata);
But in point 1, I already use “htmlspecialchars” to sanitize the input srgument,

The suggestion is not clear to me.

Hello Suman,

The PHP code is invalid, maybe that is the reason why an issue is still raised? For example, escapeshellarg.($argc1) does not call escapeshellarg but instead uses it as a constant (that is not defined and thus it is used as a string literal) and concatenates it with $argc1.
On the other hand, I would expect that the code can not be parsed at all since there is also a syntax error in there. But even when I fix the syntax errors the code does not seem to make sense to me (possibly, because it is incomplete). Is this really the code that is executed? If not, please provide the actual code, otherwise it is really hard to say why an issue is still raised.

In regards to the second issue, please create a new thread. Thank you! Also, please have a look at this post before you create the new thread: How to Report a False-positive / False-negative

I am sharing the code in details.
$filename = ‘"’.htmlspecialchars($_GET[“filename”]).‘"’;
$sizeLimit = “10240”;
$filesize = “1024”
$tsharkArgs = “sudo nohup tshark -a filesize:” .$sizeLimit. " -p -w ";
$tsharkArgs .= $filename;
$pos = strpos($tsharkArgs, “tshark”);
if ($pos !== false)

The suggestion is to change this code to not construct the OS command from user-controlled data.

Thanks. Yes, this code is vulnerable to Command Injection. htmlspecialchars can prevent Cross-Site Scripting vulnerabilities but not Command Injection vulnerabilities. It simply does not encode the characters that can be used to inject commands. If you call the script with ?filename=`touch /tmp/xxx` you will find the file xxx in the /tmp directory.

To make it more secure (executing commands in such a way always carries some risk, even when escaped) you should change the first line to $filename = escapeshellarg($_GET["filename"]);.

I have made changes accordingly but still throwing vulnerable issue at line 9.

  1. $filename = escapeshellarg($_GET[“filename”]);
  2. $sizeLimit = “10240”;
  3. $filesize = “1024”;
  4. $tsharkArgs = “sudo nohup tshark -a filesize:” .$sizeLimit. " -p -w ";
  5. $tsharkArgs .= $filename;
  6. $pos = strpos($tsharkArgs, “tshark”);
  7. if ($pos !== false)
  8. {
  9. system($tsharkArgs);
  10. }

What version of SonarQube are you using? It does not raise an issue for me. Also, is this really the code that raises the issue? It contains a syntax error again, so it should be neither parseable nor executable.

  • Enterprise Edition
  • Version 9.5 (build 56709)
    It is the same code
<?php $filename = escapeshellarg($_GET[“filename”]); $sizeLimit = "10240"; $filesize = "1024"; $tsharkArgs = "sudo nohup tshark -a filesize:" .$sizeLimit. " -p -w "; $tsharkArgs .= $filename; $pos = strpos($tsharkArgs, "tshark"); if ($pos !== false) { system($tsharkArgs); } ?>

I did’nt get the syntax error,

Any suggestion regarding the code and the issue raised by sonarqube.

The syntax error was resolved by the edit of the post.

Unfortunately, I am not able to reproduce this issue. If I scan the code no issue is raised in line 9.

Can you provide any additional information?