bash.curl.security.curl-eval.curl-eval
semgrep
Author
unknown
Download Count*
License
Data is being eval'd from a curl
command. An attacker with control of the server in the curl
command could inject malicious code into the eval
, resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.
Run Locally
Run in CI
Defintion
rules:
- id: curl-eval
severity: WARNING
languages:
- bash
message: Data is being eval'd from a `curl` command. An attacker with control of
the server in the `curl` command could inject malicious code into the
`eval`, resulting in a system comrpomise. Avoid eval'ing untrusted data if
you can. If you must do this, consider checking the SHA sum of the content
returned by the server to verify its integrity.
metadata:
owasp:
- A03:2021 - Injection
cwe:
- "CWE-95: Improper Neutralization of Directives in Dynamically
Evaluated Code ('Eval Injection')"
category: security
technology:
- bash
- curl
confidence: MEDIUM
references:
- https://owasp.org/Top10/A03_2021-Injection
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Code Injection
mode: taint
pattern-sources:
- pattern: |
$(curl ...)
- pattern: |
`curl ...`
pattern-sinks:
- pattern: eval ...
Examples
curl-eval.bash
#!/bin/bash
x=$(curl -L https://raw.githubusercontent.com/something)
# ruleid: curl-eval
eval ${x}
yy=`curl $SOME_URL`
eval yy
# ruleid: curl-eval
eval ${yy}
scrpt=$(curl -L https://raw.githubusercontent.com/something)
echo scrpt
scrpt2=$( ${scrpt} | tr -d 1 )
# ruleid: curl-eval
eval ${scrpt2}
# ruleid: curl-eval
eval $(curl -L https://raw.githubusercontent.com/something)
# ok: curl-eval
eval "x=1"
Short Link: https://sg.run/0yqJ