How to prevent OS command injection?

Back to Forums

HOANG QUANG MINH

Question

Reactive

Traditional Web

Application Type

Traditional Web, Reactive

I'm new in Outsystems, I think these are silly questions but can someone help me:

Case 1: Is it possible to deploy without using an OS command call?

Case 2: If I have to use a function that calls an OS command, can the following 3 things be done?

1. Can Design to use libraries etc. without calling the function with a shell call

2. The parameters passed to the web application may not be output directly to the operating system command parameters.

3. All variables that make up the function's arguments can be checked to perform pre-authorization only.

Thanks for any suggestions

28 Mar 2022

MVP

what do you mean with OS Command?
Can you clarify this a bit more?

28 Mar 2022

9 replies

Last reply 31 Mar 2022

Show thread

Hide thread

HOANG QUANG MINH

I don't know if there is a function in the outsystem that can be used to execute a shell command?

if executing shell command, how can Outsystems protect against command execution attacks?

29 Mar 2022

Daniël Kuhlmann

MVP

Replying to HOANG QUANG MINH's comment on 29 Mar 2022 01:32:35

There is no such command as far as I know off.

29 Mar 2022

HOANG QUANG MINH

Replying to Daniël Kuhlmann's comment on 29 Mar 2022 04:06:33

Thank you for your response.

May I ask further: how to the web apps interacts with the underlying operating system?

29 Mar 2022

Daniël Kuhlmann

MVP

Replying to HOANG QUANG MINH's comment on 29 Mar 2022 06:18:02

Not sure to what interactions you refer, but this is a simplified list of the technology stack used by OutSystems:

For database server Oracle or MS SQL Server can be used.
On the front end, html5, CSS3 and JavaScript are used.
For reactive web and mobile ReactJS is used.
For mobile, the Cordova framework is used.
Extensions to the platform at the server side can be written in C#
Extensions to the front end can be written in JavaScript
In the cloud OutSystems is hosted on AWS
- AWS EC2 instances for servers
- AWS RDS to host MS SQL Server
- IIS is used as web server to run the applications

More information about the OutSystems architecture of generated applications can be found in the following official OutSystems document: https://www.outsystems.com/evaluation-guide/architecture-of-generated-apps/

Regards,

Daniel

29 Mar 2022

Devendra Baghel

Replying to HOANG QUANG MINH's comment on 29 Mar 2022 06:18:02

Hi HOANG,

In addition to the above comment. Web apps are hosted in IIS and they doesn't interact with OS directly.

They have there own Application pool and worker process. and if the app pool need to interact with OS (for example it needs any folder access) than we need to give permission. Only way you can call your shell command from outsystems web app is through .net extension

Best Regards

Devendra

30 Mar 2022

HOANG QUANG MINH

Replying to Devendra Singh Baghel's comment on 30 Mar 2022 16:36:19

hello Devendra

thanks for your support. So is there any .net extension available that I can refer to?

30 Mar 2022

HOANG QUANG MINH

Replying to Daniël Kuhlmann's comment on 29 Mar 2022 06:23:29

Hi Daniel.
Thanks for your support.

I just want to know that do the web application built with outsystems can interact with OS directly.