Dart Native Language Cmd Injection
Description
Detects command injection vulnerabilities in Dart applications where untrusted input can be executed as system commands through the Process API from dart:io. This could allow attackers to execute arbitrary commands on the host system through the application.
Detection Strategy
• Check if the dart:io library is imported in the source code
• Identify calls to Process API methods that can execute system commands
• Determine if the command or arguments passed to these Process calls contain dynamic/user-controlled input rather than hardcoded strings
• Report a vulnerability if a Process API call uses unsafe/dynamic input for command execution
Vulnerable code example
import 'dart:io';
import 'package:shelf/shelf.dart' as shelf;
Future<shelf.Response> handleRequest(shelf.Request request) async {
final userInput = request.url.queryParameters['cmd']; // Unsafe: User input from URL parameter
final result = await Process.run('bash', ['-c', userInput]); // Vulnerable: Direct command injection
return shelf.Response.ok(result.stdout);
}✅ Secure code example
import 'dart:io';
import 'package:shelf/shelf.dart' as shelf;
Future<shelf.Response> handleRequest(shelf.Request request) async {
final userInput = request.url.queryParameters['cmd'];
// Only allow specific commands via whitelist
final allowedCommands = {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.