javascript.lang.security.audit.spawn-shell-true.spawn-shell-true

profile photo of semgrepsemgrep
Author
5,157
Download Count*

Found '$SPAWN' with '{shell: $SHELL}'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use '{shell: false}' instead.

Run Locally

Run in CI

Defintion

rules:
  - id: spawn-shell-true
    message: "Found '$SPAWN' with '{shell: $SHELL}'. This is dangerous because this
      call will spawn the command using a shell process. Doing so propagates
      current shell settings and variables, which makes it much easier for a
      malicious actor to execute commands. Use '{shell: false}' instead."
    metadata:
      owasp:
        - A01:2017 - Injection
        - A03:2021 - Injection
      cwe:
        - "CWE-78: Improper Neutralization of Special Elements used in an OS
          Command ('OS Command Injection')"
      category: security
      technology:
        - javascript
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Command Injection
    languages:
      - javascript
      - typescript
    severity: ERROR
    patterns:
      - pattern-either:
          - pattern: |
              spawn(...,{shell: $SHELL})
          - pattern: |
              spawnSync(...,{shell: $SHELL})
          - pattern: |
              $CP.spawn(...,{shell: $SHELL})
          - pattern: |
              $CP.spawnSync(...,{shell: $SHELL})
      - pattern-not: |
          spawn(...,{shell: false})
      - pattern-not: |
          spawnSync(...,{shell: false})
      - pattern-not: |
          $CP.spawn(...,{shell: false})
      - pattern-not: |
          $CP.spawnSync(...,{shell: false})

Examples

spawn-shell-true.js

const {exec, spawnSync} = require('child_process');

// ruleid: spawn-shell-true
const ls = spawn('ls', ['-lh', '/usr'], {shell:true});

// ruleid: spawn-shell-true
const pid = spawnSync('ls', ['-lh', '/usr'], {shell: '/bin/sh'});

// ok: spawn-shell-true
spawn('ls', ['-lh', '/usr'], {shell:false});

// ok: spawn-shell-true
spawn('ls', ['-lh', '/usr'], {});