Pattern: Injecting filename in shell script
Issue: -
Filename is passed by injecting it into a shell string. Any shell meta-characters in the filename will be interpreted as part of the script, and not as part of the filename. This can break the script and allow arbitrary code execution exploits.
In the correct example, the filename is passed as a parameter. It will be safely treated as literal text. The _ is a dummy string that becomes $0 in the script.
Example of incorrect code:
find . -name '*.mp3' -exec sh -c 'i="{}"; sox "$i" "${i%.mp3}.wav"' \;Example of correct code:
find . -name '*.mp3' -exec sh -c 'i="$1"; sox "$i" "${i%.mp3}.wav"' _ {} \;