Arbitrary OS command injection vulnerabilities are more likely when a shell is spawned rather than a new process, indeed shell meta-chars can be
used (when parameters are user-controlled for instance) to inject OS commands.
Ask Yourself Whether
- OS command name or parameters are user-controlled.
There is a risk if you answered yes to this question.
Recommended Secure Coding Practices
Use functions that don't spawn a shell.
Sensitive Code Example
CALL 'SYSTEM' ID 'COMMAND' FIELD usr_input ID 'TAB' FIELD TAB1. " Sensitive
CALL 'SYSTEM' ID 'COMMAND' FIELD "/usr/bin/file.exe" ID 'TAB' FIELD TAB1. " Compliant