bash.curl.security.curl-eval.curl-eval

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Data is being eval'd from a curl command. An attacker with control of the server in the curl command could inject malicious code into the eval, resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.

Run Locally

Run in CI

Defintion

rules:
  - id: curl-eval
    severity: WARNING
    languages:
      - bash
    message: Data is being eval'd from a `curl` command. An attacker with control of
      the server in the `curl` command could inject malicious code into the
      `eval`, resulting in a system comrpomise. Avoid eval'ing untrusted data if
      you can. If you must do this, consider checking the SHA sum of the content
      returned by the server to verify its integrity.
    metadata:
      owasp:
        - A03:2021 - Injection
      cwe:
        - "CWE-95: Improper Neutralization of Directives in Dynamically
          Evaluated Code ('Eval Injection')"
      category: security
      technology:
        - bash
        - curl
      confidence: MEDIUM
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Code Injection
    mode: taint
    pattern-sources:
      - pattern: |
          $(curl ...)
      - pattern: |
          `curl ...`
    pattern-sinks:
      - pattern: eval ...

Examples

curl-eval.bash

#!/bin/bash

x=$(curl -L https://raw.githubusercontent.com/something)
# ruleid: curl-eval
eval ${x}

yy=`curl $SOME_URL`
eval yy
# ruleid: curl-eval
eval ${yy}

scrpt=$(curl -L https://raw.githubusercontent.com/something)
echo scrpt
scrpt2=$( ${scrpt} | tr -d 1 )
# ruleid: curl-eval
eval ${scrpt2}

# ruleid: curl-eval
eval $(curl -L https://raw.githubusercontent.com/something)

# ok: curl-eval
eval "x=1"