[{"data":1,"prerenderedAt":258},["ShallowReactive",2],{"term-c\u002Fcommand-injection":3,"related-c\u002Fcommand-injection":241},{"id":4,"title":5,"acronym":6,"body":7,"category":222,"description":223,"difficulty":224,"extension":225,"letter":226,"meta":227,"navigation":126,"path":228,"related":229,"seo":235,"sitemap":236,"stem":239,"subcategory":6,"__hash__":240},"terms\u002Fterms\u002Fc\u002Fcommand-injection.md","Command Injection",null,{"type":8,"value":9,"toc":216},"minimark",[10,15,24,28,31,35,205,209,212],[11,12,14],"h2",{"id":13},"eli5-the-vibe-check","ELI5 — The Vibe Check",[16,17,18,19,23],"p",{},"Command injection is like SQL injection but worse — instead of attacking your database, the hacker injects shell commands that run on your actual server. If your code runs user input in a terminal command without sanitizing, an attacker could run ",[20,21,22],"code",{},"rm -rf \u002F"," on your production server.",[11,25,27],{"id":26},"real-talk","Real Talk",[16,29,30],{},"Command injection occurs when user-controlled input is passed unsanitized to a shell command. Attackers can execute arbitrary OS commands with the application's privileges. Prevention involves avoiding shell execution with user input, using APIs with argument lists instead of shell strings, and strict input validation.",[11,32,34],{"id":33},"show-me-the-code","Show Me The Code",[36,37,42],"pre",{"className":38,"code":39,"language":40,"meta":41,"style":41},"language-javascript shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","\u002F\u002F ❌ Vulnerable: user input goes into shell command\nimport { exec } from 'child_process';\nexec(`ping ${userInput}`); \u002F\u002F if userInput = '8.8.8.8; rm -rf \u002F', you're done\n\n\u002F\u002F ✅ Safe: use argument arrays, not shell strings\nimport { execFile } from 'child_process';\nexecFile('ping', ['-c', '4', userInput], callback);\n","javascript","",[20,43,44,53,87,121,128,134,156],{"__ignoreMap":41},[45,46,49],"span",{"class":47,"line":48},"line",1,[45,50,52],{"class":51},"sHwdD","\u002F\u002F ❌ Vulnerable: user input goes into shell command\n",[45,54,56,60,64,68,71,74,77,81,84],{"class":47,"line":55},2,[45,57,59],{"class":58},"s7zQu","import",[45,61,63],{"class":62},"sMK4o"," {",[45,65,67],{"class":66},"sTEyZ"," exec",[45,69,70],{"class":62}," }",[45,72,73],{"class":58}," from",[45,75,76],{"class":62}," '",[45,78,80],{"class":79},"sfazB","child_process",[45,82,83],{"class":62},"'",[45,85,86],{"class":62},";\n",[45,88,90,94,97,100,103,106,109,112,115,118],{"class":47,"line":89},3,[45,91,93],{"class":92},"s2Zo4","exec",[45,95,96],{"class":66},"(",[45,98,99],{"class":62},"`",[45,101,102],{"class":79},"ping ",[45,104,105],{"class":62},"${",[45,107,108],{"class":66},"userInput",[45,110,111],{"class":62},"}`",[45,113,114],{"class":66},")",[45,116,117],{"class":62},";",[45,119,120],{"class":51}," \u002F\u002F if userInput = '8.8.8.8; rm -rf \u002F', you're done\n",[45,122,124],{"class":47,"line":123},4,[45,125,127],{"emptyLinePlaceholder":126},true,"\n",[45,129,131],{"class":47,"line":130},5,[45,132,133],{"class":51},"\u002F\u002F ✅ Safe: use argument arrays, not shell strings\n",[45,135,137,139,141,144,146,148,150,152,154],{"class":47,"line":136},6,[45,138,59],{"class":58},[45,140,63],{"class":62},[45,142,143],{"class":66}," execFile",[45,145,70],{"class":62},[45,147,73],{"class":58},[45,149,76],{"class":62},[45,151,80],{"class":79},[45,153,83],{"class":62},[45,155,86],{"class":62},[45,157,159,162,164,166,169,171,174,177,179,182,184,186,188,191,193,195,198,200,203],{"class":47,"line":158},7,[45,160,161],{"class":92},"execFile",[45,163,96],{"class":66},[45,165,83],{"class":62},[45,167,168],{"class":79},"ping",[45,170,83],{"class":62},[45,172,173],{"class":62},",",[45,175,176],{"class":66}," [",[45,178,83],{"class":62},[45,180,181],{"class":79},"-c",[45,183,83],{"class":62},[45,185,173],{"class":62},[45,187,76],{"class":62},[45,189,190],{"class":79},"4",[45,192,83],{"class":62},[45,194,173],{"class":62},[45,196,197],{"class":66}," userInput]",[45,199,173],{"class":62},[45,201,202],{"class":66}," callback)",[45,204,86],{"class":62},[11,206,208],{"id":207},"when-youll-hear-this","When You'll Hear This",[16,210,211],{},"\"The image resizer was vulnerable to command injection via the filename.\" \u002F \"Never pass user input directly to exec().\"",[213,214,215],"style",{},"html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .s7zQu, html code.shiki .s7zQu{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#89DDFF;--shiki-default-font-style:italic;--shiki-dark:#89DDFF;--shiki-dark-font-style:italic}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .sTEyZ, html code.shiki .sTEyZ{--shiki-light:#90A4AE;--shiki-default:#EEFFFF;--shiki-dark:#BABED8}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html pre.shiki code .s2Zo4, html code.shiki .s2Zo4{--shiki-light:#6182B8;--shiki-default:#82AAFF;--shiki-dark:#82AAFF}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":41,"searchDepth":55,"depth":55,"links":217},[218,219,220,221],{"id":13,"depth":55,"text":14},{"id":26,"depth":55,"text":27},{"id":33,"depth":55,"text":34},{"id":207,"depth":55,"text":208},"security","Command injection is like SQL injection but worse — instead of attacking your database, the hacker injects shell commands that run on your actual server.","intermediate","md","c",{},"\u002Fterms\u002Fc\u002Fcommand-injection",[230,231,232,233,234],"SQL Injection","XSS","OWASP Top 10","Input Validation","Sanitization",{"title":5,"description":223},{"changefreq":237,"priority":238},"weekly",0.7,"terms\u002Fc\u002Fcommand-injection","1bzRg9nc9Nvu01IfRhHEiO1sfx_F4NRO0svieCL0Ro4",[242,246,249,252,255],{"title":233,"path":243,"acronym":6,"category":222,"difficulty":244,"description":245},"\u002Fterms\u002Fi\u002Finput-validation","beginner","Input validation is checking that user input is what you expect before using it.",{"title":232,"path":247,"acronym":6,"category":222,"difficulty":244,"description":248},"\u002Fterms\u002Fo\u002Fowasp-top-10","The OWASP Top 10 is the security industry's greatest hits of web vulnerabilities — the 10 most common, dangerous ways apps get hacked.",{"title":234,"path":250,"acronym":6,"category":222,"difficulty":244,"description":251},"\u002Fterms\u002Fs\u002Fsanitization","Sanitization is cleaning up user input before using it — stripping out anything dangerous like script tags or SQL commands.",{"title":230,"path":253,"acronym":6,"category":222,"difficulty":224,"description":254},"\u002Fterms\u002Fs\u002Fsql-injection","SQL injection is when a hacker types SQL code into a text field instead of normal text, and your stupid database runs it.",{"title":231,"path":256,"acronym":231,"category":222,"difficulty":224,"description":257},"\u002Fterms\u002Fx\u002Fxss","XSS stands for Cross-Site Scripting. Hackers inject their own JavaScript into your site so when other users visit, the evil script runs in their browser.",1776518267619]