Hello,
Until today, SonarCloud was detecting OS Command Injection attacks thanks to a single rule S2076. That was great and at the same time not 100% accurate because depending on where the injection is performed, it is possible to control the OS command itself or only the parameters of this OS command.
We made a change to be more precise and to provide better guidance in the rule’s documentation. There are now 3 rules dedicated to the topic:
- S2076: OS commands should not be vulnerable to command injection attacks
- S5883: OS commands should not be vulnerable to argument injection attacks
- S6350: Constructing arguments of system commands from user input is security-sensitive
This change is available on SonarCloud.io now for Java, C#, PHP, JS/TS and Python analysis and is also part of SonarQube 9.2 Developer Edition.
Alex