OS commands should not allow injection attacks
- If your code executes operating system commands based on user input, it must check the name of each command. Otherwise, a hacker could inject his own commands to perform illegal operations and compromise your system.
- Visual Expert will detect these flaws in your PowerBuilder code, so you can fix them.
- For example, you can define a whitelist of safe commands and sanitize shell meta-characters.
Non-compliant Code Example
global function string callRun (string name) Run(name) Return name end function
Compliant Code Example
global function string callRun (string name) Run("MYBATCH.BAT TEST") Return name end function