javascript.shelljs.security.shelljs-exec-injection.shelljs-exec-injection
semgrepAuthor
3,098
Download Count*
License
If unverified user data can reach the exec method it can result in Remote Code Execution
Run Locally
Run in CI
Defintion
rules:
- id: shelljs-exec-injection
message: If unverified user data can reach the `exec` method it can result in
Remote Code Execution
metadata:
owasp:
- A01:2017 - Injection
- A03:2021 - Injection
cwe:
- "CWE-78: Improper Neutralization of Special Elements used in an OS
Command ('OS Command Injection')"
category: security
technology:
- shelljs
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
confidence: LOW
references:
- https://owasp.org/Top10/A03_2021-Injection
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Command Injection
languages:
- javascript
- typescript
severity: ERROR
patterns:
- pattern-inside: |
require('shelljs');
...
- pattern-not-inside: |
require('shelljs');
...
var $INPUT = "...";
...
- pattern: $SHELL.exec($INPUT,...)
- pattern-not: $SHELL.exec("...",...)
Examples
shelljs-exec-injection.js
const shell = require('shelljs');
function test1(userInput) {
// ruleid:shelljs-exec-injection
return shell.exec(userInput, {silent: true})
}
function test2(userInput) {
const input = `ls ${userInput}`
// ruleid:shelljs-exec-injection
return shell.exec(input, {silent: true})
}
function okTest3(userInput) {
// ok:shelljs-exec-injection
const input = 'ls ./'
return shell.exec(input, {silent: true})
}
function okTest4(userInput) {
// ok:shelljs-exec-injection
return shell.exec('ls ./', {silent: true})
}
Short Link: https://sg.run/AvEB