go.lang.security.audit.dangerous-command-write.dangerous-command-write

profile photo of returntocorpreturntocorp
Author
2,342
Download Count*
LGPL Commons Clause
License

Detected non-static command inside Write. Audit the input to '$CW.Write'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: dangerous-command-write
    patterns:
      - pattern: |
          $CW.Write($BYTE)
      - pattern-inside: |
          $CW,$ERR := $CMD.StdinPipe()
          ...
      - pattern-not: |
          $CW.Write("...")
      - pattern-not: |
          $CW.Write([]byte("..."))
      - pattern-not: |
          $CW.Write([]byte("..."+"..."))
      - pattern-not-inside: |
          $BYTE = []byte("...");
          ...
      - pattern-not-inside: |
          $BYTE = []byte("..."+"...");
          ...
      - pattern-inside: |
          import "os/exec"
          ...
    message: Detected non-static command inside Write. Audit the input to
      '$CW.Write'. If unverified user data can reach this call site, this is a
      code injection vulnerability. A malicious actor can inject a malicious
      script to execute arbitrary code.
    severity: ERROR
    languages:
      - go
    metadata:
      cwe:
        - "CWE-78: Improper Neutralization of Special Elements used in an OS
          Command ('OS Command Injection')"
      category: security
      technology:
        - go
      confidence: LOW
      owasp:
        - A01:2017 - Injection
        - A03:2021 - Injection
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

dangerous-command-write.go

 import (
  "fmt"
  "os"
  "os/exec"
)

func test1(password string) {
  cmd := exec.Command("bash")
  cmdWriter, _ := cmd.StdinPipe()
  cmd.Start()

  cmdString := fmt.Sprintf("sshpass -p %s", password)

  // ruleid:dangerous-command-write
  cmdWriter.Write([]byte(cmdString + "\n"))

  cmd.Wait()
}

func okTest1() {
  cmd := exec.Command("bash")
  cmdWriter, _ := cmd.StdinPipe()
  cmd.Start()

  // ok:dangerous-command-write
  cmdWriter.Write([]byte("sshpass -p 123\n"))
  cmdWriter.Write([]byte("exit"    + "\n"))

  cmd.Wait()
}