Critiq Docs
Get started
security.injection

Command execution using untrusted input

Process execution helpers must not receive request-controlled executables or shell-interpreted arguments.

#Metadata

Rule ID
security.no-command-execution-with-request-input
Severity
critical
Confidence
0.9
Languages
go, java, javascript, php, python, ruby, rust, typescript
Presets
recommended, security, strict
Stability
stable
Applies to
block
Tags
command-execution, injection, rules-catalog, security

#Why it matters

Request-controlled process execution can become remote code execution when attackers choose the binary or influence shell parsing.

#Remediation

Dispatch only allowlisted binaries, keep shell mode disabled, and validate or constrain subcommands before execution.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/shared/security.no-command-execution-with-request-input.rule.yaml.

Back to registryOpen rule in repository