Home

OS commands should not allow injection attacks

Rule description

  • If your code executes operating system commands based on user input, it must check the name of each command. Otherwise, a hacker could inject his own commands to perform illegal operations and compromise your system.
  • Visual Expert will detect these flaws in your PowerBuilder code, so you can fix them.
  • For example, you can define a whitelist of safe commands and sanitize shell meta-characters.

 

Non-compliant Code Example

global function string callRun (string name)
Run(name)
Return name
end function

Compliant Code Example

global function string callRun (string name)
Run("MYBATCH.BAT TEST")
Return name
end function
Visual Expert 2020
 VEPBRULE11