Removing injected OS commands in POST URLs in Drupal 8x

I’ve been using Burp to evaluate my Drupal 8 site and I found a OS command injection exploit.

The problem is I don’t know where to insert the routine to get rid of the unwanted injected code. I’ve tried InboundPathProcessorInterface and OutboundPathProcessorInterface and they don’t work!

POST /contact-us%7cping%20-n%2021%20127.0.0.1%7c%7c%60ping%20-c%2021%20127.0.0.1%60%20%23'%20%7cping%20-n%2021%20127.0.0.1%7c%7c%60ping%20-c%2021%20127.0.0.1%60%20%23%5c%22%20%7cping%20-n%2021%20127.0.0.1 HTTP/1.1 Host: x.x.x.x Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: https://x.x.x.x/contact-us Content-Type: application/x-www-form-urlencoded Content-Length: 364