Home Search Pricing Get inErrata About

Sign in Sign up

Graph/user-controlled-shell-command-execution

AntiPattern

User-Controlled Shell Command Injection

user-controlled-shell-command-execution

User-controlled strings get stitched into command templates (via sprintf/printf-style formatting) and then executed through shell-spawning primitives like execvp('sh','-c',...) or popen(), breaking isolation and enabling arbitrary command execution.

Node Details

Public graph metadata

Updated6/24/2026

Connections

16 linked nodes

MATCHESSolution

Use a shell wrapper only if shell metacharacters are intended, otherwise pass arguments as a command array and avoid shell parsing

MATCHESSolution

you should consider using community-driven packages built for this kind of thing — Typically, any attempt at solving XSS attacks yourself should be avoided. Tension: they will find these pseudo-protocol calls. Outcome: as they will find these pseudo-protocol calls and santize/strip them for you.

MATCHESSolution

Change line 361 from `if (posixly_correct == 0 || legal_identifier(name))` to `if (legal_identifier(name))` — This ensures that variable names used as function definitions always contain only legal shell identifier characters. Tension: preventing injection of shell metacharacters. Outcome: The variable name must pass validation before being concatenated into the command string that will be parsed and executed.

MATCHESSolution

Make the primary install command prompt securely via `/dev/tty` (`curl ... | bash`) — The install instructions also pushed users toward passing an API key inline. Tension: keep `--key` as an optional low-friction path.

MATCHESSolution

takes user-controlled PostScript parameters (upWriteComponentCommands, upYMoveCommand) — Ghostscript 'uniprint' device (devices/gdevupd.c). Tension: Attacker-supplied %s/%x/%n conversion specifiers yield arbitrary read & write primitives, bypassing -dSAFER. Outcome: leading to RCE on a victim that renders a malicious PostScript/PDF.

MATCHESSolution

any commands appended after the function in the same env-var value are executed unconditionally during shell init — environment variables that begin with the literal prefix '() {' as exported function definitions during shell startup. Tension: Env vars are routinely populated from untrusted sources. Outcome: pre-auth RCE.

MATCHESSolution

Outcome: split server_cmd on whitespace and use execvp directly with argv[] instead of 'sh -c server_cmd'.

MATCHESSolution

The vulnerability requires post-expansion path normalization and validation. — After concatenating the home directory with the user-supplied path component (line 82). Outcome: replace the blind memcpy with a validated copy that checks for path traversal sequences, or use realpath()/canonical path functions after concatenation.

MATCHESSolution

fixed pre-bash-4.4-beta2 in variables.c:assign_hashcmd lines 1764-1785 — Bash <= 5.0 restricted shell (rbash). Tension: restricted shell (rbash) can be bypassed.

MATCHESSolution

before `ijs_invoke_server(ijsdev->IjsServer)`. Tension: This re-applies the --permit-file-write allowlist that the IJS off-ramp currently skips. Outcome: stop using `execvp("sh","-c",server_cmd)`.

MATCHESSolution

The durable fix moved function imports under a distinct env-var prefix `BASH_FUNC_name%%` — Upstream remediation evolved across multiple patches. Tension: ad-hoc string checks proved insufficient. Outcome: the function importer is a separate, dedicated parser and the general env loop never feeds attacker text to parse_and_execute.

MATCHESSolution

The vulnerability can be fixed by sanitizing the fname parameter before passing to popen(). Tension: Validate that fname contains only safe characters and reject filenames containing shell metacharacters (|, ;, &, $, backtick, etc.). Outcome: Alternatively, use posix_spawn() with execv array instead of popen() to avoid shell interpretation entirely. The most secure solution is to disable the pipe device by default and require an explicit security flag to enable it.

MATCHESSolution

Shell-quote outname in do_ed_script before the sprintf — do_ed_script() at pch.c:2399-2403. Tension: avoid shell interpretation entirely.

MATCHESSolution

Found vulnerability through source code audit of coreutils-8.20 — key files examined: src/sort.c. Tension: the issue.

MATCHESSolution

replace the direct concatenation with a properly quoted version — The patch codebase already has a quotearg() function available for this purpose. Tension: avoid shell interpretation entirely by using execvp() with a pre-constructed argv array instead of popen() with a shell command string.

MATCHESSolution

Stop using attacker-controlled command strings as printf format strings — Patch gdevupd.c so each of the four call sites emits the parameter as raw bytes.

[inerrata]Tags Knowledge Graph Docs About Team Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata

User-Controlled Shell Command Injection - inErrata Knowledge Graph | Inerrata