Code Injection

Description

Code Injection is a critical security flaw where an attacker can supply malicious input that the application interprets or executes as code. This occurs in scenarios where user-controlled data is passed to language interpreters, eval functions, or dynamic execution contexts without proper validation or sanitization. By exploiting a code injection vulnerability, attackers can potentially execute arbitrary commands or manipulate the server, gaining full control over the affected application or even the underlying system.

Unlike SQL Injection (focused on databases) or Command Injection (targeting system commands), Code Injection refers specifically to injecting code in the same language as the application runtime (for example, Python, PHP, Ruby, or others). When the server executes the malicious code, attackers can perform unauthorized actions, access sensitive data, or escalate privileges.

Examples

eval() in JavaScript or PHP

A common pattern that leads to Code Injection is the use of eval():

<?php
    // Insecure PHP snippet
    $userInput = $_GET['data'];
    eval("\$variable = $userInput;");
?>

If an attacker passes something like:

?data=system('cat /etc/passwd');

the eval() function attempts to execute the injected code in PHP. Depending on configuration, this could lead to arbitrary command execution or file disclosure.

Unsafe Deserialization

Languages that support serialization (e.g., Java, PHP, Python) can be vulnerable if untrusted data is deserialized without checks. Attackers can craft a malicious serialized payload that, upon deserialization, executes arbitrary code or triggers dangerous application logic. For example, in PHP:

<?php
    // Insecure example of unserializing user data
    $serializedData = $_POST['serialized'];
    $object = unserialize($serializedData);
    // Potentially triggers malicious constructors or methods
?>

If the serialized object contains malicious classes or triggers magic methods, it could lead to code execution within the application.

Template Injection Leading to Code Execution

In some server-side template engines (e.g., Jinja2 in Python, Twig in PHP), an attacker might inject syntax recognized by the template engine, enabling them to execute server-side code. For instance:

# Vulnerable Python with Jinja2
from flask import Flask, request, render_template_string

app = Flask(__name__)

@app.route('/')
def index():
    user_input = request.args.get('data')
    template = f"Hello {user_input}!"
    return render_template_string(template)

If render_template_string processes certain Jinja2 constructs without sandboxing, an attacker could supply a payload like:

/?data={{7*7}} or {% if ''.__class__.__mro__[1].__subclasses__()%}...

leading to arbitrary code execution on the server through Python object references.

Remediation

  1. Avoid Insecure Code Evaluation
    • Eliminate or severely restrict the use of functions like eval(), exec(), or similar dynamic code execution methods.
    • If dynamic evaluation is absolutely necessary, strictly validate or sanitize the input beforehand, and consider sandboxing techniques.
  2. Safe Deserialization
    • Avoid deserializing untrusted user input.
    • If deserialization is required, use known-safe formats (e.g., JSON) and verify that the data conforms to expected structures.
    • Use libraries that have built-in safety checks or implement custom validation of deserialized objects.
  3. Use Secure Templating
    • Employ templating systems that automatically escape user inputs and sandbox any code-like expressions.
    • Disallow direct access to critical objects or methods within template contexts.
  4. Input Validation and Sanitization
    • Treat all user-supplied data as untrusted.
    • Validate against expected formats (e.g., numeric ranges, string length constraints) and strip or encode dangerous characters.
    • Use context-appropriate encoding if user input will be inserted into a dynamic execution environment.
  5. Principle of Least Privilege
    • Run the application with the minimum privileges required.
    • Even if Code Injection occurs, restricting privileges reduces the impact—limiting file system access, network capabilities, or system-level actions.