Rule Definition
In web based applications, the validation of all user input is critical to avoid major security problems that would come from the injection flaws. To avoid the creation of injection flaws, the Open Web Application Security Project (OWASP) recommends the validation of all user input: "Use a standard input validation mechanism to validate all input data for length, type, syntax, and business rules before accepting the data to be displayed or stored. Use an "accept known good" validation strategy. Reject invalid input rather than attempting to sanitize potentially hostile data. Do not forget that error messages might also include invalid data" The Common Weakness Enumeration defines Improper Input Validation (CWE-20) as follows: "When software does not validate input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. This will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution."

Remediation
Use authorized sanitization methods. Do not expose sensible methods.

Violation Code Sample

var resultDoc = things.Find(new BsonDocument()).ToList();
foreach (var item in resultDoc)
{
    // Exec JS command. Ok
    JsonCommand<BsonDocument> cmd = new JsonCommand<BsonDocument>("{ eval: \"test_function(2)\" }");
    var result = db.RunCommand(cmd);

    // Possible injection
    var userInput = Console.ReadLine();
    cmd = new JsonCommand<BsonDocument>(userInput); 
    Command<BsonDocument> cmd2 = GetCmdOfJsonCmd(cmd);
    result = db.RunCommand(cmd2);
}

Fixed Code Sample

Use authorized sanitization methods.
Do not expose sensible methods.

http://cwe.mitre.org/data/definitions/89.html