Elixir System Command Injection
Description
This detector identifies command injection vulnerabilities in Elixir applications where user input can be executed as system commands. When unsafe data flows into system command functions, attackers can inject malicious commands to execute arbitrary code on the server, potentially leading to complete system compromise.
Detection Strategy
• Reports vulnerabilities when Elixir code contains function calls to system command execution functions (like System.cmd/2, System.shell/1, or :os.cmd/1)
• The function call must use unsafe or user-controllable input as arguments rather than hardcoded strings
• Triggers when the command arguments are not properly sanitized or validated before being passed to the system execution functions
Vulnerable code example
defmodule CommandInjectionController do
import Plug.Conn
# VULNERABLE - user input directly interpolated into shell command
def vulnerable_shell(conn) do
filename = conn.params["file"]
System.shell("cat #{filename}")
end...✅ Secure code example
defmodule CommandInjectionController do
import Plug.Conn
# SAFE - user input passed as separate argument to System.cmd, not interpolated
def safe_shell(conn) do
filename = conn.params["file"]
System.cmd("cat", [filename])
end...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.