javascript.lang.security.audit.spawn-shell-true.spawn-shell-true
semgrep
Author
5,157
Download Count*
License
Found '$SPAWN' with '{shell: $SHELL}'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use '{shell: false}' instead.
Run Locally
Run in CI
Defintion
rules:
- id: spawn-shell-true
message: "Found '$SPAWN' with '{shell: $SHELL}'. This is dangerous because this
call will spawn the command using a shell process. Doing so propagates
current shell settings and variables, which makes it much easier for a
malicious actor to execute commands. Use '{shell: false}' instead."
metadata:
owasp:
- A01:2017 - Injection
- A03:2021 - Injection
cwe:
- "CWE-78: Improper Neutralization of Special Elements used in an OS
Command ('OS Command Injection')"
category: security
technology:
- javascript
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
references:
- https://owasp.org/Top10/A03_2021-Injection
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Command Injection
languages:
- javascript
- typescript
severity: ERROR
patterns:
- pattern-either:
- pattern: |
spawn(...,{shell: $SHELL})
- pattern: |
spawnSync(...,{shell: $SHELL})
- pattern: |
$CP.spawn(...,{shell: $SHELL})
- pattern: |
$CP.spawnSync(...,{shell: $SHELL})
- pattern-not: |
spawn(...,{shell: false})
- pattern-not: |
spawnSync(...,{shell: false})
- pattern-not: |
$CP.spawn(...,{shell: false})
- pattern-not: |
$CP.spawnSync(...,{shell: false})
Examples
spawn-shell-true.js
const {exec, spawnSync} = require('child_process');
// ruleid: spawn-shell-true
const ls = spawn('ls', ['-lh', '/usr'], {shell:true});
// ruleid: spawn-shell-true
const pid = spawnSync('ls', ['-lh', '/usr'], {shell: '/bin/sh'});
// ok: spawn-shell-true
spawn('ls', ['-lh', '/usr'], {shell:false});
// ok: spawn-shell-true
spawn('ls', ['-lh', '/usr'], {});
Short Link: https://sg.run/Wgeo