clojure.lang.security.command-injection-shell-call.command-injection-shell-call
semgrep
Author
unknown
Download Count*
License
A call to clojure.java.shell has been found, this could lead to an RCE if the inputs are user-controllable. Please ensure their origin is validated and sanitized.
Run Locally
Run in CI
Defintion
rules:
- id: command-injection-shell-call
metadata:
author: Gabriel Marquet <gab.marquet@gmail.com>
category: security
confidence: LOW
owasp:
- A01:2017 - Injection
- A03:2021 - Injection
cwe:
- "CWE-78: Improper Neutralization of Special Elements used in an OS
Command ('OS Command Injection')"
likelihood: MEDIUM
impact: HIGH
subcategory:
- audit
technology:
- clojure
references:
- https://clojuredocs.org/clojure.java.shell/sh
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Command Injection
patterns:
- pattern-either:
- pattern-inside: |
(ns ...
...
(:require
...
[clojure.java.shell ... [sh]]
...
))
...
- pattern-inside: |
(ns ...
...
(:use
...
[clojure.java.shell ... [sh]]
...
))
...
- pattern-either:
- patterns:
- pattern: (sh $BASH ...)
- metavariable-regex:
metavariable: $BASH
regex: (.*)(sh|bash|ksh|csh|tcsh|zsh)
- patterns:
- pattern: (sh $ARG ...)
- pattern-not: (sh "..." ...)
languages:
- clojure
severity: ERROR
message: A call to clojure.java.shell has been found, this could lead to an RCE
if the inputs are user-controllable. Please ensure their origin is
validated and sanitized.
Examples
command-injection-shell-call.clj
(ns com.semgrep.test
(:require [clojure.java.shell :refer [sh]]
[clojure.tools.logging :as log]
[clojure.string :refer [trim]]
[clojure.java.io :as io]))
(use '[clojure.java.shell :only [sh]])
(require '[clojure.java.shell :refer [sh]])
(:require [clojure.java.io :as io]
[clojure.java.shell :as shell])
(:use [clojure.string :only [replace-first split upper-case trim-newline join]]
[clojure.java.shell :only [sh]]
[clojure.tools.cli :only (cli)])
(def command "bash")
// ruleid: command-injection-shell-call
(println (:out (sh command "-c" "rsa" "-b" arg "-P" "" "-C" "" "-f" filename)))
(defn greetings [msg]
// ruleid: command-injection-shell-call
(println (:out (sh "/bin/bash" "-c" msg ))))
// ruleid: command-injection-shell-call
(println (:out (sh "bash" "-c" msg )))
// ruleid: command-injection-shell-call
(println (:out (sh "sh" "-c" msg )))
// ok: command-injection-shell-call
(println (:out (sh "echo" "-c" msg )))
(greetings "whoami && pwd")
Short Link: https://sg.run/Ag4L