|
| author = OWASP Input Validation Cheat Sheet
}}
=== Command injection ===
* CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')<ref>
{{Cite web
| access-date = 17 August 2025
| publisher = [[Mitre Corporation |The MITRE Corporation]]
| title = CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
| url = https://cwe.mitre.org/data/definitions/77.html
| website = mitre.org
}}</ref>
* CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')<ref>
{{Cite web
| access-date = 17 August 2025
| publisher = [[Mitre Corporation |The MITRE Corporation]]
| title = CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| url = https://cwe.mitre.org/data/definitions/78.html
| website = mitre.org
}}</ref>
* CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')<ref>
{{Cite web
| access-date = 17 August 2025
| publisher = [[Mitre Corporation |The MITRE Corporation]]
| title = CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
| url = https://cwe.mitre.org/data/definitions/88.html
| website = mitre.org
}}</ref>
Clearlisting is more effective than blocklisting.
* CWE-184: Incomplete List of Disallowed Inputs<ref>
{{Cite web
| access-date = 17 August 2025
| publisher = [[Mitre Corporation |The MITRE Corporation]]
| title = CWE-184: Incomplete List of Disallowed Inputs
| url = https://cwe.mitre.org/data/definitions/184.html
| website = mitre.org
}}</ref>
=== Path traversal ===
* CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<ref>
{{Cite web
| access-date = 17 August 2025
| publisher = [[Mitre Corporation |The MITRE Corporation]]
| title = CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
| url = https://cwe.mitre.org/data/definitions/22.html
| website = mitre.org
}}</ref>
=== TOCTOU errors (Race conditions) ===
* CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition<ref>
{{Cite web
| access-date = 17 August 2025
| publisher = [[Mitre Corporation |The MITRE Corporation]]
| title = CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
| url = https://cwe.mitre.org/data/definitions/367.html
| website = mitre.org
}}</ref>
The {{Code| mkdir| bash}} and {{Code| mktemp| bash}} commands are known to create directories / files in an [[ACID |atomic]] fashion.
=== Untrusted search PATH ===
* CWE-426: Untrusted Search Path<ref>
{{Cite web
| access-date = 17 August 2025
| publisher = [[Mitre Corporation |The MITRE Corporation]]
| title = CWE-426: Untrusted Search Path
| url = https://cwe.mitre.org/data/definitions/426.html
| website = mitre.org
}}</ref>
* CWE-427: Uncontrolled Search Path Element<ref>
{{Cite web
| access-date = 17 August 2025
| publisher = [[Mitre Corporation |The MITRE Corporation]]
| title = CWE-427: Uncontrolled Search Path Element
| url = https://cwe.mitre.org/data/definitions/427.html
| website = mitre.org
}}</ref>
* CWE-428: Unquoted Search Path or Element<ref>
{{Cite web
| access-date = 17 August 2025
| publisher = [[Mitre Corporation |The MITRE Corporation]]
| title = CWE-428: Unquoted Search Path or Element
| url = https://cwe.mitre.org/data/definitions/427.html
| website = mitre.org
}}</ref>
=== Abuse of symlinks ===
* CWE-61: UNIX Symbolic Link (Symlink) Following<ref>
{{Cite web
| access-date = 17 August 2025
| publisher = [[Mitre Corporation |The MITRE Corporation]]
| title = CWE-61: UNIX Symbolic Link (Symlink) Following
| url = https://cwe.mitre.org/data/definitions/61.html
| website = mitre.org
}}</ref>
=== Sensitive information in error messages ===
* CWE-535: Exposure of Information Through Shell Error Message<ref>
{{Cite web
| access-date = 17 August 2025
| publisher = [[Mitre Corporation |The MITRE Corporation]]
| title = CWE-535: Exposure of Information Through Shell Error Message
| url = https://cwe.mitre.org/data/definitions/535.html
| website = mitre.org
}}</ref>
=== Shellshock ===
| 