> ## Documentation Index
> Fetch the complete documentation index at: https://docs.codeant.ai/llms.txt
> Use this file to discover all available pages before exploring further.
# A03:2021 - Injection
> Security rules for Injection vulnerabilities. Injection flaws occur when an application sends untrusted data to an interpreter as part of a command or query. This includes SQL injection, NoSQL inj
Injection flaws occur when an application sends untrusted data to an interpreter as part of a command or query. This includes SQL injection, NoSQL injection, OS command injection, LDAP injection, XSS, and expression language injection.
CodeAnt AI detects **Injection** vulnerabilities across **21 languages**: Python, Java, JavaScript, TypeScript, Go, C#, C, C++, Ruby, PHP, Kotlin, Swift, Rust, Scala, Bash, Clojure, Elixir, Terraform, HTML, YAML, Apex.
***
## Detected Vulnerabilities
**Severity:** **Critical**
### Description
The application constructs SQL queries using unsanitized user input, allowing attackers to modify the query logic to access, modify, or delete database contents.
### Impact
Complete database compromise including data theft, data modification, authentication bypass, and in some cases remote code execution on the database server.
### Remediation
Use parameterized queries or prepared statements exclusively. Use ORM frameworks with built-in protection. Never concatenate user input into SQL strings. Apply input validation as defense-in-depth.
**Severity:** **Critical**
### Description
The application passes unsanitized user input to operating system commands, allowing attackers to execute arbitrary commands on the host system.
### Impact
Full system compromise. Attackers can execute arbitrary commands with the privileges of the application, install malware, exfiltrate data, or pivot to other systems.
### Remediation
Avoid calling OS commands with user input. Use language-native libraries instead of shell commands. If shell commands are necessary, use strict allowlists and parameterized execution (e.g., `subprocess` with list arguments in Python).
**Severity:** **High**
### Description
The application includes untrusted data in web pages without proper validation or escaping, allowing attackers to execute scripts in victims' browsers.
### Impact
Session hijacking, defacement, redirecting users to malicious sites, keylogging, and stealing sensitive data from the user's browser context.
### Remediation
Encode output based on context (HTML, JavaScript, URL, CSS). Use Content Security Policy (CSP) headers. Use templating engines that auto-escape by default. Sanitize HTML input with proven libraries.
**Severity:** **Critical**
### Description
The application allows user input to be executed as code, typically through `eval()`, `exec()`, or similar dynamic code execution functions.
### Impact
Remote code execution. Attackers can run arbitrary code on the server, leading to complete application and potentially system compromise.
### Remediation
Never use `eval()`, `exec()`, or similar functions with user input. Use safe alternatives like JSON parsing for data. Implement sandboxing if dynamic code execution is absolutely required.
**Severity:** **Critical**
### Description
The application dynamically evaluates code using user-controlled data in functions like `eval()`, `Function()`, template engines, or expression languages.
### Impact
Arbitrary code execution in the application context. Attackers can read files, access databases, make network requests, or completely take over the application.
### Remediation
Eliminate all uses of `eval()` and dynamic code evaluation with user input. Use safe parsing libraries. If expression evaluation is needed, use sandboxed expression evaluators with restricted capabilities.
**Severity:** **Critical**
### Description
The application constructs commands using unsanitized externally-supplied input, which can be manipulated to execute unintended commands.
### Impact
Attackers can execute arbitrary system commands, potentially gaining full control of the server, accessing sensitive files, or using the server as a pivot point for further attacks.
### Remediation
Use APIs and libraries that are not susceptible to injection instead of shell commands. If commands are necessary, validate inputs against a strict allowlist. Use parameterized command execution.
**Severity:** **High**
### Description
The application constructs LDAP queries using unsanitized user input, allowing attackers to modify the query to access unauthorized directory entries.
### Impact
Authentication bypass, unauthorized access to directory information, and potential modification of LDAP entries including user accounts and permissions.
### Remediation
Use parameterized LDAP queries. Escape special LDAP characters in user input. Validate input against expected formats. Use LDAP frameworks with built-in injection protection.
**Severity:** **High**
### Description
The application processes XML input that contains references to external entities, which can be exploited to access local files, perform server-side request forgery, or cause denial of service.
### Impact
Reading local files from the server, scanning internal networks via SSRF, denial of service through billion-laughs attacks, and in some cases remote code execution.
### Remediation
Disable external entity processing in XML parsers. Use `defusedxml` in Python, disable DTDs in Java XML parsers, use `libxml_disable_entity_loader` in PHP. Prefer JSON over XML where possible.
**Severity:** **Critical**
### Description
The application evaluates user-controlled data within expression language (EL) contexts such as Spring EL, OGNL, MVEL, or template engines, allowing arbitrary expression execution.
### Impact
Remote code execution through expression language evaluation. Attackers can access application internals, execute system commands, and fully compromise the server.
### Remediation
Never pass user input to expression language evaluators. Use parameterized templates. Restrict expression language capabilities in template engines. Apply strict input validation.
**Severity:** **Medium**
### Description
The application generates CSV files with user-controlled data without sanitizing formula characters, allowing injection of spreadsheet formulas that execute when opened.
### Impact
When users open the CSV in spreadsheet applications, injected formulas can exfiltrate data, execute commands, or install malware on the user's workstation.
### Remediation
Prefix cell values starting with `=`, `+`, `-`, `@`, `\t`, `\r` with a single quote. Use CSV libraries that handle formula injection (e.g., `defusedcsv` in Python). Sanitize all user input before CSV export.
**Severity:** **Critical**
### Description
The application constructs NoSQL queries using unsanitized user input, allowing attackers to manipulate query logic in databases like MongoDB, CouchDB, or DynamoDB.
### Impact
Authentication bypass, unauthorized data access, data manipulation, and potential denial of service through malicious query operators.
### Remediation
Use parameterized queries or ODM frameworks. Validate input types strictly (reject objects when strings are expected). Sanitize MongoDB operators like `$gt`, `$ne`, `$where` from user input.