← All Checks critical ASVS V1.2

Injection Prevention

AI coding agents build database queries by string concatenation, construct shell commands with user input, and generate unescaped HTML — the top 3 injection attack vectors.

What it catches

  • SQL queries built with string concatenation or template literals (SELECT * FROM users WHERE id = ${userId})
  • Shell commands with unsanitized user input
  • HTML output without escaping (XSS)
  • LDAP injection patterns
  • NoSQL injection via $where or $regex with user input

Why vibe coders should care

Injection attacks are the #1 web vulnerability for a reason. When your AI agent writes db.query("SELECT * FROM users WHERE email = '" + email + "'"), an attacker can type ' OR 1=1 -- as their email and dump your entire database. This isn’t theoretical — it’s the most exploited vulnerability on the internet.

Real impact: SQL injection = full database access. Command injection = full server access. XSS = stealing your users’ sessions and data.

Example

// ❌ SQL injection — AI agents generate this constantly
const user = await db.query(`SELECT * FROM users WHERE id = ${req.params.id}`);

// ✅ Use parameterized queries
const user = await db.query('SELECT * FROM users WHERE id = $1', [req.params.id]);

// ❌ Command injection
exec(`convert ${req.body.filename} output.png`);

// ✅ Use execFile with explicit args
execFile('convert', [filename, 'output.png']);

How to fix

VibSec flags the exact file and line number. Run vibsec scan --fix and your AI agent will rewrite concatenated queries into parameterized ones and sanitize all command inputs.

Related checks: Unsafe Code Patterns · Deserialization · All Checks

Feedback