logo

Database

Elixir System Command Injection

Description

This detector identifies command injection vulnerabilities in Elixir applications where user input can be executed as system commands. When unsafe data flows into system command functions, attackers can inject malicious commands to execute arbitrary code on the server, potentially leading to complete system compromise.

Weakness:

404 - OS Command Injection

Category: Functionality Abuse

Detection Strategy

    Reports vulnerabilities when Elixir code contains function calls to system command execution functions (like System.cmd/2, System.shell/1, or :os.cmd/1)

    The function call must use unsafe or user-controllable input as arguments rather than hardcoded strings

    Triggers when the command arguments are not properly sanitized or validated before being passed to the system execution functions

Vulnerable code example

defmodule CommandInjectionController do
  import Plug.Conn

  # VULNERABLE - user input directly interpolated into shell command
  def vulnerable_shell(conn) do
    filename = conn.params["file"]
    System.shell("cat #{filename}")
  end...

✅ Secure code example

defmodule CommandInjectionController do
  import Plug.Conn

  # SAFE - user input passed as separate argument to System.cmd, not interpolated
  def safe_shell(conn) do
    filename = conn.params["file"]
    System.cmd("cat", [filename])
  end...