Audit required: Function may be vulnerable to arbitrary commands execution PHP-A1009

Using exec, passthru, shell_exec or, system functions to execute command can make the application vulnerable to arbitrary commands execution, if the user-supplied data is escaped or sanitized properly before passing them.

Though functions like escapeshellarg and escapeshellcmd exists which can be used to escape the command and shell argument. But the lack of cross-operating system compatibility of these functions relying on it is discouraged.

It is recommended to use a secure library like Symfony's Process Component to execute a command in a sub-process, which takes care of the escaping arguments irrespective of operating system to prevent security issues.

Bad practice

$output = null;
$resultCode = null;
$command = "ls -lsa {$_POST['path']}";

exec($command, $output, $resultCode);

Recommended

use Symfony\Component\Process\Exception\ProcessFailedException;
use Symfony\Component\Process\Process;

$process = new Process(['ls', '-lsa', $_POST['path']]);
$process->run();

if ($process->isSuccessful()) {
    echo $process->getOutput();
}

References

• OWASP Top 10:2021 > A03 - Injection
• OWASP Top 10:2017 > A01 - Injection
• SANS Top 25 - Insecure Interaction Between Components
• CWE-20: Improper Input Validation
• CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')