clojure.lang.security.command-injection-shell-call.command-injection-shell-call

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

A call to clojure.java.shell has been found, this could lead to an RCE if the inputs are user-controllable. Please ensure their origin is validated and sanitized.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: command-injection-shell-call
    metadata:
      author: Gabriel Marquet <gab.marquet@gmail.com>
      category: security
      confidence: LOW
      owasp:
        - A01:2017 - Injection
        - A03:2021 - Injection
      cwe:
        - "CWE-78: Improper Neutralization of Special Elements used in an OS
          Command ('OS Command Injection')"
      likelihood: MEDIUM
      impact: HIGH
      subcategory:
        - audit
      technology:
        - clojure
      references:
        - https://clojuredocs.org/clojure.java.shell/sh
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Command Injection
    patterns:
      - pattern-either:
          - pattern-inside: |
              (ns ...
              ...
              (:require 
              ... 
              [clojure.java.shell ... [sh]]
              ...
              ))
              ...
          - pattern-inside: |
              (ns ...
              ...
              (:use 
              ... 
              [clojure.java.shell ... [sh]]
              ...
              ))
              ...
      - pattern-either:
          - patterns:
              - pattern: (sh $BASH ...)
              - metavariable-regex:
                  metavariable: $BASH
                  regex: (.*)(sh|bash|ksh|csh|tcsh|zsh)
          - patterns:
              - pattern: (sh $ARG ...)
              - pattern-not: (sh "..." ...)
    languages:
      - clojure
    severity: ERROR
    message: A call to clojure.java.shell has been found, this could lead to an RCE
      if the inputs are user-controllable. Please ensure their origin is
      validated and sanitized.

Examples

command-injection-shell-call.clj

(ns com.semgrep.test
  (:require [clojure.java.shell :refer [sh]]
            [clojure.tools.logging :as log]
            [clojure.string :refer [trim]]
            [clojure.java.io :as io]))
(use '[clojure.java.shell :only [sh]])

(require '[clojure.java.shell :refer [sh]])
  (:require [clojure.java.io :as io]
            [clojure.java.shell :as shell])
  (:use [clojure.string :only [replace-first split upper-case trim-newline join]]
        [clojure.java.shell :only [sh]]
        [clojure.tools.cli :only (cli)])

(def command "bash")
// ruleid: command-injection-shell-call
(println (:out (sh command "-c" "rsa" "-b" arg "-P" "" "-C" "" "-f" filename)))

(defn greetings [msg]
// ruleid: command-injection-shell-call
(println (:out (sh "/bin/bash" "-c" msg ))))
// ruleid: command-injection-shell-call
(println (:out (sh "bash" "-c" msg )))
// ruleid: command-injection-shell-call
(println (:out (sh "sh" "-c" msg )))
// ok: command-injection-shell-call
(println (:out (sh "echo" "-c" msg )))

(greetings "whoami && pwd")