Critical

OS commands should not allow injection attacks

Description

    The "OS commands should not allow injection attacks" rule states that when executing OS commands from PowerBuilder code, the commands should be validated to ensure that they cannot be used to inject malicious code into the system. This can be done by using parameterized queries, whitelisting accepted commands, or other methods of input validation. Additionally, the code should be written to ensure that any user-supplied data is properly escaped and sanitized to prevent malicious code from being injected into the system.

Key Benefits

  • Enhanced Security: OS commands should not allow injection attacks rule prevents malicious code from being injected into the system, which helps to ensure the security of the system.
  • Improved Performance: By preventing malicious code from being injected into the system, the performance of the system is improved, as it avoids the need to spend time and resources on detecting and removing malicious code.
  • Reduced Risk: By preventing malicious code from being injected into the system, the risk of potential damage to the system is reduced, as the malicious code is not able to be executed.
  • Compliance: OS commands should not allow injection attacks rule helps organizations to comply with various security regulations and standards.

 

Non-compliant Code Example

global function string callRun (string name)
Run(name)
Return name
end function

Compliant Code Example

global function string callRun (string name)
Run("MYBATCH.BAT TEST")
Return name
end function
Visual Expert 2023
 VEPBRULE11