bash.lang.security.ifs-tampering.ifs-tampering

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*

The special variable IFS affects how splitting takes place when expanding unquoted variables. Don't set it globally. Prefer a dedicated utility such as 'cut' or 'awk' if you need to split input data. If you must use 'read', set IFS locally using e.g. 'IFS="," read -a my_array'.

Run Locally

Run in CI

Defintion

rules:
  - id: ifs-tampering
    languages:
      - bash
    severity: WARNING
    message: The special variable IFS affects how splitting takes place when
      expanding unquoted variables. Don't set it globally. Prefer a dedicated
      utility such as 'cut' or 'awk' if you need to split input data. If you
      must use 'read', set IFS locally using e.g. 'IFS="," read -a my_array'.
    pattern: IFS=...
    metadata:
      cwe:
        - "CWE-20: Improper Input Validation"
      category: security
      technology:
        - bash
      confidence: LOW
      owasp:
        - A03:2021 - Injection
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

ifs-tampering.bash

# ruleid: ifs-tampering
IFS=,

# ok: ifs-tampering
IFS=, read -a values