What is Command Injection?

Definition

Command injection is a vulnerability that occurs when an application passes user-controlled input to a system shell or command execution function without proper sanitization. The attacker injects shell metacharacters (;, &&, |, $(), backticks) that the shell interprets as command delimiters, allowing arbitrary commands to execute with the privileges of the application process.

Command injection is among the most severe application vulnerabilities — a successful attack gives the attacker direct execution on the server. It sits under the "Injection" category of the OWASP Top 10.

How Command Injection Works

A simple example: an application allows users to ping a hostname and uses this code:

exec("ping -c 4 " + user_input)

An attacker submits: example.com; cat /etc/passwd

The shell executes: ping -c 4 example.com; cat /etc/passwd

Both commands run. The output of cat /etc/passwd is returned to the attacker.

Common Vulnerable Patterns

• exec(), system(), popen(), shell_exec() with user input (PHP)
• subprocess.Popen(shell=True) with user-supplied arguments (Python)
• child_process.exec() with template literals containing user input (Node.js)
• Runtime.getRuntime().exec() constructing commands from user input (Java)
• Any function that passes a constructed command string to a shell interpreter

Impact

Command injection grants the attacker:

• Arbitrary command execution on the server
• Read access to any file the process user can read (configuration, secrets, source code)
• Network access from the server (lateral movement, data exfiltration)
• Potentially full system compromise if the application runs with elevated privileges
• Persistence through cron jobs, SSH key injection, or service installation

Prevention

Avoid shell execution with user input

The most effective defense: do not invoke a shell with user-provided data. Most tasks that seem to require shell commands can be accomplished with library functions that do not involve a shell: network ping checks can use ICMP libraries, file operations use filesystem APIs, process execution uses exec-family functions with argument arrays (not shell strings).

Use parameterized process execution

When executing external commands is necessary, use APIs that accept an argument array rather than a shell string. subprocess.run(["ping", "-c", "4", user_input]) passes user_input as a literal argument — the shell never interprets it. child_process.execFile() instead of exec() in Node.js. Argument arrays eliminate shell interpretation entirely.

Input validation and allowlisting

Validate that input conforms to an expected format before using it in a command. A hostname should match a regex for valid hostnames. An IP address should be a valid IP. Reject anything that does not match the expected pattern.

Command Injection and Autonomous Code Governance

Hydra detects command injection through taint analysis: tracking user-controlled data from HTTP inputs to shell execution functions. When user input flows to exec(), system(), subprocess with shell=True, or equivalent functions, Hydra generates a fix that either replaces the shell execution with a safer API or adds argument array construction to eliminate shell interpretation. The fix strategy depends on what the command is doing — if there is a library alternative, the fix uses it; if shell execution is necessary, it uses parameterized execution.