bash.curl.security.curl-pipe-bash.curl-pipe-bash

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Data is being piped into bash from a curl command. An attacker with control of the server in the curl command could inject malicious code into the pipe, resulting in a system compromise. Avoid piping untrusted data into bash or any other shell if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: curl-pipe-bash
    languages:
      - bash
    severity: WARNING
    message: Data is being piped into `bash` from a `curl` command. An attacker with
      control of the server in the `curl` command could inject malicious code
      into the pipe, resulting in a system compromise. Avoid piping untrusted
      data into `bash` or any other shell if you can. If you must do this,
      consider checking the SHA sum of the content returned by the server to
      verify its integrity.
    metadata:
      owasp:
        - A03:2021 - Injection
      cwe:
        - "CWE-95: Improper Neutralization of Directives in Dynamically
          Evaluated Code ('Eval Injection')"
      category: security
      technology:
        - bash
        - curl
      confidence: LOW
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Code Injection
    patterns:
      - pattern-either:
          - pattern: curl ... | ... bash ...
          - pattern: curl ... | ... /bin/bash ...
          - pattern: ... bash <(curl ...)
          - pattern: ... /bin/bash <(curl ...)
          - pattern: ... bash -c "$(curl ...)"
          - pattern: ... /bin/bash -c "$(curl ...)"

Examples

curl-pipe-bash.bash

#!/bin/bash

# ruleid: curl-pipe-bash
bash <(curl -Ls "https://raw.githubusercontent.com/pusox/pusox/main/script/_A.sh")

# ruleid: curl-pipe-bash
curl http://10.110.1.200/deployment/scripts/SLAVE00-flight-setup.bash | /bin/bash -x | tee -a /tmp/mainscript-default-output

# ruleid: curl-pipe-bash
curl http://10.110.1.200/deployment/scripts/SLAVE00-flight-setup.bash | sudo /bin/bash

# ruleid: curl-pipe-bash
sudo bash <(curl -Ls "https://raw.githubusercontent.com/pusox/pusox/main/script/_A.sh")

# ruleid: curl-pipe-bash
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

# ok: curl-pipe-bash
curl http://10.110.1.200/deployment/scripts/SLAVE00-flight-setup.bash | tee -a /tmp/mainscript-default-output