Use of XECUTE

objectscriptQuality release 
1.0.0
Id 
OS0069
Rule type 
Vulnerability
Severity 

Critical

Critical
SQALE characteristic 
  • Reliability
    • Instruction
Tags 
coding-guidelines, deprecation, performance
Remediation function 
Constant/issue
Remediation cost 
15min

The XECUTE command can be used to execute arbitrary commands from, for instance, string inputs:

    xecute "do ..something()"

However, this has both security and performance implications:

  • Security: the command to be executed may be a user input; if validation is not performed thoroughly, malicious code may be executed.
  • Performance: the string input needs to be constructed (if not a single string literal but a concatenation of strings, for instnace) and evaluated.

For these reasons, you should avoid using XECUTE and use a proper set of commands instead.