Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
CWE-94 Base Rascunho
Improper Control of Generation of Code ('Code Injection')
This vulnerability occurs when an application builds executable code using unvalidated external input, such as user data. Because the application fails to properly filter or escape this input, an…
Definição
What is CWE-94?
This vulnerability occurs when an application builds executable code using unvalidated external input, such as user data. Because the application fails to properly filter or escape this input, an attacker can inject special characters or commands that alter the intended code's logic or syntax.
Code injection happens when user-supplied data is directly incorporated into dynamically generated code, like SQL queries, OS commands, or script blocks. Attackers exploit this by crafting inputs containing command delimiters or code syntax, tricking the application into executing unintended instructions. This can lead to data theft, system takeover, or complete compromise of the application's environment.
To prevent this, developers must strictly separate code from data. Use parameterized queries for databases, prepared statements, or safe API calls that automatically handle escaping. Never concatenate raw user input into executable strings. Input validation is also critical, but it should be a secondary defense, as proper use of secure coding interfaces is the most reliable way to neutralize injection risks.
Impacto no mundo real
Real-world CVEs caused by CWE-94
-
Math component in an LLM framework translates user input into a Python expression that is input into the Python exec() method, allowing code execution - one variant of a "prompt injection" attack.
-
Python-based library uses an LLM prompt containing user input to dynamically generate code that is then fed as input into the Python exec() method, allowing code execution - one variant of a "prompt injection" attack.
-
Framework for LLM applications allows eval injection via a crafted response from a hosting provider.
-
Python compiler uses eval() to execute malicious strings as Python code.
-
Chain: regex in EXIF processor code does not correctly determine where a string ends (CWE-625), enabling eval injection (CWE-95), as exploited in the wild per CISA KEV.
-
"Code injection" in VPN product, as exploited in the wild per CISA KEV.
-
Eval injection in PHP program.
-
Eval injection in Perl program.
Como os atacantes a exploram
Trajeto do atacante passo a passo
- 1
This example attempts to write user messages to a message file and allow users to view them.
- 2
While the programmer intends for the MessageFile to only include data, an attacker can provide a message such as:
- 3
which will decode to the following:
- 4
The programmer thought they were just including the contents of a regular data file, but PHP parsed it and executed the code. Now, this code is executed any time people view messages.
- 5
Notice that XSS (CWE-79) is also possible in this situation.
Exemplo de código vulnerável
Vulnerable PHP
This example attempts to write user messages to a message file and allow users to view them.
$MessageFile = "messages.out";
if ($_GET["action"] == "NewMessage") {
$name = $_GET["name"];
$message = $_GET["message"];
$handle = fopen($MessageFile, "a+");
fwrite($handle, "<b>$name</b> says '$message'<hr>\n");
fclose($handle);
echo "Message Saved!<p>\n";
}
else if ($_GET["action"] == "ViewMessages") {
include($MessageFile);
} Payload do atacante
While the programmer intends for the MessageFile to only include data, an attacker can provide a message such as:
name=h4x0r
message=%3C?php%20system(%22/bin/ls%20-l%22);?%3E Exemplo de código seguro
Secure Python
A way to accomplish this without the use of eval() is to apply an integer conversion on the input within a try/except block. If the user-supplied input is not numeric, this will raise a ValueError. By avoiding eval(), there is no opportunity for the input string to be executed as code.
def main():
sum = 0
numbers = input("Enter a space-separated list of numbers: ").split(" ")
try:
for num in numbers:
sum = sum + int(num)
print(f"Sum of {numbers} = {sum}")
except ValueError:
print("Error: invalid input")
main() What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de verificação de prevenção
How to prevent CWE-94
- Architecture and Design Refactor your program so that you do not have to dynamically generate code.
- Architecture and Design Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.
- Implementation Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. To reduce the likelihood of code injection, use stringent allowlists that limit which constructs are allowed. If you are dynamically constructing code that invokes a function, then verifying that the input is alphanumeric might be insufficient. An attacker might still be able to reference a dangerous function that you did not intend to allow, such as system(), exec(), or exit().
- Testing Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible.
- Testing Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
- Operation Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).
- Operation Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).
- Implementation For Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].
Sinais de deteção
How to detect CWE-94
O Plexicus deteta automaticamente o CWE-94 e abre um PR de correção em menos de 60 segundos.
O Codex Remedium analisa cada commit, identifica esta fraqueza exata e entrega um pull request pronto para revisão com o patch. Sem tickets. Sem transferências.
Perguntas frequentes O que é o CWE-94?
Qual a gravidade do CWE-94?
Que linguagens ou plataformas são afetadas pelo CWE-94?
Como posso prevenir o CWE-94?
Como é que o Plexicus deteta e corrige o CWE-94?
Onde posso saber mais sobre o CWE-94?
Frequently asked questions
O que é o CWE-94?
This vulnerability occurs when an application builds executable code using unvalidated external input, such as user data. Because the application fails to properly filter or escape this input, an attacker can inject special characters or commands that alter the intended code's logic or syntax.
Qual a gravidade do CWE-94?
A MITRE classifica a probabilidade de exploração como Média — a exploração é realista mas normalmente requer condições específicas.
Que linguagens ou plataformas são afetadas pelo CWE-94?
MITRE lists the following affected platforms: Interpreted, AI/ML.
Como posso prevenir o CWE-94?
Refactor your program so that you do not have to dynamically generate code. Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of…
Como é que o Plexicus deteta e corrige o CWE-94?
O motor SAST do Plexicus correlaciona a assinatura de fluxo de dados do CWE-94 em cada commit. Quando é encontrada uma correspondência, o nosso agente Codex Remedium abre um PR de correção com o código corrigido, testes e um resumo de uma linha para o revisor.
Onde posso saber mais sobre o CWE-94?
A MITRE publica a definição canónica em https://cwe.mitre.org/data/definitions/94.html. Pode também consultar a documentação da OWASP e do NIST para orientações adjacentes.
Fraquezas relacionadas
Weaknesses related to CWE-94
CWE-74 Pai
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
This vulnerability occurs when an application uses untrusted external input to build a command, query, or data structure for another…
CWE-1236 Irmão
Improper Neutralization of Formula Elements in a CSV File
This vulnerability occurs when an application writes user-supplied data into a CSV file without properly sanitizing special characters.…
CWE-75 Irmão
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
This vulnerability occurs when an application fails to properly filter or encode user-supplied data containing special characters or…
CWE-77 Irmão
Improper Neutralization of Special Elements used in a Command ('Command Injection')
This vulnerability occurs when an application builds a system command using untrusted user input without properly sanitizing it. An…
CWE-78 Irmão
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
OS Command Injection occurs when an application builds a system command using untrusted, external input without properly sanitizing it.…
CWE-79 Irmão
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
This vulnerability occurs when a web application fails to properly sanitize or encode user-supplied input before displaying it on a…
CWE-88 Irmão
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
This vulnerability occurs when an application builds a command string for execution by another component, but fails to properly separate…
CWE-89 Irmão
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
SQL Injection occurs when an application builds a database query using untrusted user input without properly sanitizing it. This allows an…
CWE-91 Irmão
XML Injection (aka Blind XPath Injection)
XML Injection occurs when an application fails to properly validate or escape user-controlled input before including it in XML documents…
Recursos
Further reading
- MITRE — CWE-94 oficial https://cwe.mitre.org/data/definitions/94.html
- How ast.literal_eval can cause memory exhaustion https://www.reddit.com/r/learnpython/comments/zmbhcf/how_astliteral_eval_can_cause_memory_exhaustion/
- ast - Abstract Syntax Trees https://docs.python.org/3/library/ast.html#ast.literal_eval
Pronto quando você estiver
Pare de pagar por desenvolvedor.
Comece a fechar o ciclo.
O Plexicus é o ASPM nativo de IA que verifica, filtra, corrige, pentesta e explica — de forma autónoma. Programadores ilimitados, repos ilimitados, ações de IA de utilização justa. Nível gratuito real, €269/mo anual quando estiver pronto.