sdk/golang/Standard Library/GoOSExec

GoOSExec

The os/exec standard library package. exec.Command and exec.CommandContext are command injection sinks when any argument comes from user-controlled input. Most dangerous with shell=true-equivalent patterns.

2 sinks

Taint flow0 sources → 2 sinks

Sinks — dangerous call

.Command()Creates Cmd to run name with args

.CommandContext()Like Command but with context for cancellation

Sinks

— dangerous functions taint must not reach

.Command()Sink

Signature

Command(name string, arg ...string) *Cmd

Creates Cmd to run name with args. name and any arg are injection sinks.

tracks:0

.CommandContext()Sink

Signature

CommandContext(ctx context.Context, name string, arg ...string) *Cmd

Like Command but with context for cancellation. Same injection risk.

tracks:1

Fully-Qualified Names

FQN	Field
os/exec	fqns[0]
os/exec.Cmd	fqns[1]
exec.*	patterns

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

go.mod

// standard library — no go.mod entry required

rule.py

from codepathfinder.go_rule import GoOSExec

Rules Using This Class

GO-SEC-002

← PreviousGoOS

Next →GoOSUser