javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run
returntocorpAuthor
5,133
Download Count*
License
Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability.
Run Locally
Run in CI
Defintion
rules:
- id: deno-dangerous-run
message: Detected non-literal calls to Deno.run(). This could lead to a command
injection vulnerability.
metadata:
cwe:
- "CWE-78: Improper Neutralization of Special Elements used in an OS
Command ('OS Command Injection')"
owasp:
- A01:2017 - Injection
- A03:2021 - Injection
category: security
technology:
- deno
references:
- https://deno.land/manual/examples/subprocess#simple-example
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: LOW
impact: HIGH
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
languages:
- javascript
- typescript
severity: ERROR
mode: taint
pattern-sources:
- patterns:
- pattern-inside: function ... (..., $ARG,...) {...}
- focus-metavariable: $ARG
pattern-sinks:
- patterns:
- pattern-either:
- pattern: |
Deno.run({cmd: [$INPUT,...]},...)
- pattern: >
Deno.run({cmd:
["=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$INPUT,...]},...)
- patterns:
- pattern: |
Deno.run({cmd: [$CMD,"-c",$INPUT,...]},...)
- pattern-inside: |
$CMD = "=~/(sh|bash|ksh|csh|tcsh|zsh)/"
...
- focus-metavariable: $INPUT
Examples
deno-dangerous-run.js
async function okTest() {
const p = Deno.run({
cmd: ["echo", "hello"],
});
await p.status();
}
async function test1(userInput) {
const p = Deno.run({
// ruleid: deno-dangerous-run
cmd: [userInput, "hello"],
stdout: "piped",
stderr: "piped",
});
await p.status();
}
async function test1(userInput) {
const p = Deno.run({
// ruleid: deno-dangerous-run
cmd: ["bash", "-c", userInput],
stdout: "piped",
stderr: "piped",
});
await p.status();
}
Short Link: https://sg.run/Nrrn