Will It Vibe logoWill It Vibe?
RUST-006Medium severity-8 points

Command argument built with format!/concatenation

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A Command::new(...) argument is built with format!/string concatenation instead of a fixed literal, so untrusted input can reach the child process's argv (and a shell, if one is invoked, such as Command::new("sh").arg("-c")). Command::new does not itself go through a shell, so the risk is highest once a shell interpreter is in the chain; this heuristic flags the dynamic-argument shape either way as worth a review.

Why it matters

A Command whose argument is assembled with format!/string concatenation lets whatever produced that string influence exactly what the child process receives. Command::new does not itself invoke a shell, so plain argv entries are not shell-expanded, but the risk becomes concrete the moment the chain also invokes a shell interpreter (Command::new("sh").arg("-c").arg(...)) or passes the value to a program that interprets it (many CLIs, interpreters, or scripts do). Even without a shell in the mix, a dynamically built argument can still let an attacker influence which file gets read, which flag gets set, or which host gets contacted.

How to fix it

Prefer passing each user-controlled value as its own separate .arg(...) rather than interpolating it into a combined string, and avoid invoking a shell (sh -c, cmd /C) with a built string at all; call the target program directly with distinct arguments instead. If a shell is unavoidable, validate/allowlist the value strictly before it reaches the command, and treat any value that must not be attacker-controlled as a hard requirement, not a nice-to-have.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks