user-influenced os commands are still considered harmful
Consider the following code snippet that I’m borrowing from an OWASP page on command injection:
The page claims “it is not possible to inject additional commands” so it must be secure!
And... it’s not. Good grief.