When constructing commands that will be executed, always sanitize input values to prevent command injection vulnerabilities. Never directly substitute user-supplied or externally-sourced data into command strings without proper validation and sanitization.
When constructing commands that will be executed, always sanitize input values to prevent command injection vulnerabilities. Never directly substitute user-supplied or externally-sourced data into command strings without proper validation and sanitization.
Unsafe pattern (vulnerable to injection):
command := strings.Replace(proxyCommand, "%h", host, -1)
// Executing this command could be dangerous if 'host' contains malicious characters
Safer alternatives:
if !validHostnamePattern.MatchString(host) {
return nil, fmt.Errorf("Invalid hostname format: %s", host)
}
cmd := exec.Command(proxyCommand, host, port)
// Arguments are properly escaped by the exec package
escapedHost := shellEscape(host)
command := strings.Replace(proxyCommand, "%h", escapedHost, -1)
This practice helps protect against attackers who might craft malicious input to execute unauthorized commands on your system.
Enter the URL of a public GitHub repository