Fix Command Injection in Symfony

Command Injection in Symfony is a critical failure often caused by developers treating the Process component as a simple wrapper for shell_exec. If you are concatenating user-controlled input from a Request object directly into a command string, you are handing over RCE. To fix this, you must stop using shell-interpreted strings and move to array-based execution which bypasses the shell entirely.

The Vulnerable Pattern

use Symfony\Component\Process\Process;
public function checkHost(Request $request)
{
$host = $request->query->get(‘host’);
// VULNERABLE: fromShellCommandline passes the string to /bin/sh
// An attacker can send: ?host=8.8.8.8;cat /etc/passwd
$process = Process::fromShellCommandline(“ping -c 1 ” . $host);
$process->run();
return new Response($process->getOutput());
}

The Secure Implementation

The vulnerability exists because Process::fromShellCommandline() invokes the system shell (sh/bash/cmd.exe). When input is concatenated, shell metacharacters like semicolons, pipes, and backticks are interpreted as command separators. By switching to the array-based constructor 'new Process(['command', 'arg1'])', Symfony bypasses the shell and executes the binary directly via the execve(2) family of functions. This ensures that the user input is strictly treated as a data argument and never as executable code.

use Symfony\Component\Process\Process;
public function checkHost(Request $request)
{
$host = $request->query->get(‘host’);
// SECURE: Passing an array bypasses the shell
// The input is treated as a literal argument, not a command
$process = new Process([‘ping’, ‘-c’, ‘1’, $host]);
$process->run();
return new Response($process->getOutput());
}