gitlab.find_sec_bugs.COMMAND_INJECTION-1

unknown
Download Count*
MIT
License

The highlighted API is used to execute a system command. If unfiltered input is passed to this API, it can lead to arbitrary command execution.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: find_sec_bugs.COMMAND_INJECTION-1
    pattern-either:
      - patterns:
          - pattern-inside: |
              $FUNC(...,String $PARAM, ...) {
                ...
              }
          - pattern-either:
              - pattern: (Runtime $R).exec($PARAM,...);
              - patterns:
                  - pattern-either:
                      - pattern: |
                          $CMDARR = new String[]{"$SHELL",...,$PARAM,...};
                          ...
                          (Runtime $R).exec($CMDARR,...);
                      - pattern: (Runtime $R).exec(new String[]{"$SHELL",...,$PARAM,...}, ...);
                      - pattern: (Runtime $R).exec(java.util.String.format("...", ...,$PARAM,...));
                      - pattern: (Runtime $R).exec((String $A) + (String $B));
                  - metavariable-regex:
                      metavariable: $SHELL
                      regex: (/.../)?(sh|bash|ksh|csh|tcsh|zsh)$
          - pattern-not: (Runtime $R).exec("...","...","...",...);
          - pattern-not: |
              (Runtime $R).exec(new String[]{"...","...","...",...},...);
      - patterns:
          - pattern-inside: |
              $FUNC(...,String $PARAM, ...) {
                ...
              }
          - pattern-either:
              - pattern: (ProcessBuilder $PB).command($PARAM,...);
              - patterns:
                  - pattern-either:
                      - pattern: (ProcessBuilder $PB).command("$SHELL",...,$PARAM,...);
                      - pattern: >
                          $CMDARR =
                          java.util.Arrays.asList("$SHELL",...,$PARAM,...);

                          ...

                          (ProcessBuilder $PB).command($CMDARR,...);
                      - pattern: (ProcessBuilder
                          $PB).command(java.util.Arrays.asList("$SHELL",...,$PARAM,...),...);
                      - pattern: (ProcessBuilder $PB).command(java.util.String.format("...",
                          ...,$PARAM,...));
                      - pattern: (ProcessBuilder $PB).command((String $A) + (String $B));
                  - metavariable-regex:
                      metavariable: $SHELL
                      regex: (/.../)?(sh|bash|ksh|csh|tcsh|zsh)$
          - pattern-not: (ProcessBuilder $PB).command("...","...","...",...);
          - pattern-not: >
              (ProcessBuilder
              $PB).command(java.util.Arrays.asList("...","...","...",...));
    message: >
      The highlighted API is used to execute a system command. If unfiltered
      input is passed to this

      API, it can lead to arbitrary command execution.
    languages:
      - java
    severity: WARNING
    metadata:
      category: security
      cwe: "CWE-78: Improper Neutralization of Special Elements used in an OS Command
        ('OS Command Injection')"
      technology:
        - java
      primary_identifier: find_sec_bugs.COMMAND_INJECTION-1
      secondary_identifiers:
        - name: Find Security Bugs-COMMAND_INJECTION
          type: find_sec_bugs_type
          value: COMMAND_INJECTION
      license: MIT