Get Started
- CodeAnt AI
- Setup
- Control Center
- Pull Request Review
- IDE
- Compliance
- Anti-Patterns
- Code Governance
- Infrastructure Security Database
- Application Security Database
- Apex
- Bash
- C
- Clojure
- Cpp
- Csharp
- Dockerfile
- Elixir
- Fingerprints
- Generic
- Go
- Html
- Java
- Javascript
- Json
- Kotlin
- Ocaml
- Php
- Doctrine
- Lang
- Security
- Security
- Audit
- Injection
- Search-active-debug
- Search-cookie-secure-false-ini-config
- Taint-cookie-http-false
- Taint-cookie-secure-false
- Taint-unsafe-echo-tag
- Tainted-code-execution
- Tainted-command-injection
- Tainted-curl-injection
- Tainted-path-traversal
- Tainted-url-to-connection
- Tainted-url-to-guzzle-client
- Tainted-url-to-httpful
- Tainted-user-input-in-php-script
- Tainted-user-input-in-script
- Xml-external-entities-unsafe-entity-loader
- Xml-external-entities-unsafe-parser-flags
- Laravel
- Secrets
- Symfony
- Wordpress-plugins
- Problem-based-packs
- Python
- Ruby
- Rust
- Scala
- Solidity
- Swift
- Terraform
- Typescript
- Yaml
Tainted curl injection
Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. In PHP, it is possible to use escapeshellcmd(...) and escapeshellarg(...) to correctly sanitize user input that is used respectively as system commands or command arguments. User input going into curl_exec or curl_multi_exec might lead to Server-Side Request Forgery (SSRF), which you can avoid by using an allowlist of permitted URLs.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection