javascript.aws-lambda.security.detect-child-process.detect-child-process

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Allowing spawning arbitrary programs or running shell processes with arbitrary arguments may end up in a command injection vulnerability. Try to avoid non-literal values for the command string. If it is not possible, then do not let running arbitrary commands, use a white list for inputs.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: detect-child-process
    message: Allowing spawning arbitrary programs or running shell processes with
      arbitrary arguments may end up in a command injection vulnerability. Try
      to avoid non-literal values for the command string. If it is not possible,
      then do not let running arbitrary commands, use a white list for inputs.
    metadata:
      cwe:
        - "CWE-78: Improper Neutralization of Special Elements used in an OS
          Command ('OS Command Injection')"
      owasp:
        - A01:2017 - Injection
        - A03:2021 - Injection
      category: security
      technology:
        - javascript
        - aws-lambda
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: HIGH
      confidence: MEDIUM
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Command Injection
    languages:
      - javascript
      - typescript
    severity: ERROR
    mode: taint
    pattern-sources:
      - patterns:
          - pattern: $EVENT
          - pattern-either:
              - pattern-inside: |
                  exports.handler = function ($EVENT, ...) {
                    ...
                  }
              - pattern-inside: |
                  function $FUNC ($EVENT, ...) {...}
                  ...
                  exports.handler = $FUNC
              - pattern-inside: |
                  $FUNC = function ($EVENT, ...) {...}
                  ...
                  exports.handler = $FUNC
    pattern-sinks:
      - patterns:
          - focus-metavariable: $CMD
          - pattern-either:
              - pattern: exec($CMD,...)
              - pattern: execSync($CMD,...)
              - pattern: spawn($CMD,...)
              - pattern: spawnSync($CMD,...)
              - pattern: $CP.exec($CMD,...)
              - pattern: $CP.execSync($CMD,...)
              - pattern: $CP.spawn($CMD,...)
              - pattern: $CP.spawnSync($CMD,...)
          - pattern-either:
              - pattern-inside: |
                  require('child_process')
                  ...
              - pattern-inside: |
                  import 'child_process'
                  ...

Examples

detect-child-process.js

const cp = require('child_process');

exports.handler = async (event) => {
    // ruleid:detect-child-process
    cp.exec(`cat *.js ${event['file']}| wc -l`, (error, stdout, stderr) => {
        console.log(stdout)
    });

    // ruleid:detect-child-process
    cp.spawnSync(event['cmd']);

    // ok:detect-child-process
    cp.exec('ls')
};