Introduction

Injection flaws are among the most dangerous and long-standing software security issues. They occur when untrusted input is passed directly into queries, commands, or code interpreters without proper validation or escaping. This can lead to unauthorized access, data corruption, or complete system compromise.

While traditional SAST tools focus on common languages like JavaScript, Python, or Java, Aikido’s AI-powered code quality engine now detects injection vulnerabilities in languages that SAST tools typically miss, such as Perl, Haskell, Groovy, Erlang, Zig, Delphi, PowerShell, COBOL, ABAP, Visual Basic, Pascal, and ColdFusion.

This rule ensures that no matter what language your team uses, unsafe query or command construction is caught before it reaches production.

Why It Matters

Injection flaws remain one of the OWASP Top 10 security risks.

They are easy to introduce but often difficult to detect through manual review, especially in legacy or less common languages.

Without safeguards:

• Attackers can inject SQL or OS commands into dynamically built strings.
• Sensitive data can be exfiltrated or destroyed.
• Entire systems can be taken over if code execution is possible.

By enforcing this rule, every piece of code that builds queries or commands must use parameterized APIs, safe libraries, or escape functions, drastically reducing the attack surface.

❌ Non-Compliant Example

Below is an example in PowerShell, but the same issue appears in many languages.

# Unsafe: user input directly concatenated into a system command
$userInput = Read-Host "Enter username"
Invoke-Expression ("net user " + $userInput)

Why this is unsafe: Invoke-Expression executes a dynamically constructed command.

An attacker could input john && del C:\* /Q and cause destructive behavior.

✅ Compliant Example

# Safe: use parameterized or validated command execution
$userInput = Read-Host "Enter username"

if ($userInput -match '^[a-zA-Z0-9_-]+$') {
    Start-Process "net" -ArgumentList "user", $userInput
} else {
    Write-Host "Invalid input"
}

Why this is safe:

• Command arguments are passed as a list, not a concatenated string.
• The input is validated using a whitelist regex.
• No untrusted data ever reaches the shell unescaped.

Try It in Aikido

You can enable this rule directly in Aikido’s Code Quality tool.

Once active, it automatically scans for injection patterns across all supported languages, including those without native SAST coverage.

Each time a developer opens a pull request:

• The system reviews new and changed code.
• It flags any use of string concatenation or interpolation inside command, query, or interpreter calls.
• The report highlights the exact line and provides a short fix suggestion (for example, “Use parameterized APIs or validated inputs”).

This rule runs on every PR, ensuring consistent protection even in mixed-language repositories.

Conclusion

Dynamic string construction is one of the simplest mistakes that can lead to critical security breaches.

By detecting unsafe concatenation and enforcing safe query building practices, this rule prevents entire classes of injection attacks before they reach production.

No matter the language, Aikido’s intelligent analysis brings static and AI-assisted protection together to cover more ground than traditional tools ever could.