SonarSource Rules

Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

ABAP static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your ABAP code

Security Hotspot7

Filtered: 7 rules found

cwe

Using shell interpreter when executing OS commands is security-sensitive

Security Hotspot

MajorSonarSource default severity
click to learn more

Arbitrary OS command injection vulnerabilities are more likely when a shell is spawned rather than a new process, indeed shell meta-chars can be used (when parameters are user-controlled for instance) to inject OS commands.

Ask Yourself Whether

OS command name or parameters are user-controlled.

There is a risk if you answered yes to this question.

Recommended Secure Coding Practices

Use functions that don’t spawn a shell.

Sensitive Code Example

CALL 'SYSTEM' ID 'COMMAND' FIELD usr_input ID 'TAB' FIELD TAB1.  " Sensitive

Compliant Solution

CALL 'SYSTEM' ID 'COMMAND' FIELD "/usr/bin/file.exe" ID 'TAB' FIELD TAB1.  " Compliant

See

OWASP Top 10 2021 Category A3 - Injection
OWASP Top 10 2017 Category A1 - Injection
MITRE, CWE-78 - Improper Neutralization of Special Elements used in an OS Command
SANS Top 25 - Insecure Interaction Between Components

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Developer
Edition