A static detection method and apparatus for command injection vulnerabilities
CN121902168BActive Publication Date: 2026-06-30ELECTRIC POWER RES INST OF STATE GRID ZHEJIANG ELECTRIC POWER COMAPNY
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- ELECTRIC POWER RES INST OF STATE GRID ZHEJIANG ELECTRIC POWER COMAPNY
- Filing Date
- 2026-03-25
- Publication Date
- 2026-06-30
Smart Images

Figure CN121902168B_ABST
Abstract
This invention discloses a static detection method and apparatus for command injection vulnerabilities, aiming to address the shortcomings of existing Abstract Syntax Trees (ASTs) in detecting potential vulnerabilities during static analysis. The invention includes the following steps: parsing source code and generating a static single-assignment intermediate representation; locating the starting point, ending point, and secure nodes of the analysis; tracing and analyzing data flow within and between functions; and determining and generating a vulnerability report. The source code parsing includes constructing an Abstract Syntax Tree (AST) based on the source code using a compiler. The static single-assignment intermediate representation is transformed into a data flow path using an SSA (Single-Assignment Array) converter. The data flow path includes variable definition-use chains and use-definition chains, providing a precise semantic basis for subsequent data flow tracing. By converting all languages to SSA-IR, the black-box state of projects collaborating on different languages in static analysis can be avoided, enabling continuous tracing of variable data flow paths and thus accurately locating the command injection vulnerability.
Need to check novelty before this filing date? Find Prior Art