ocaml.lang.security.exec.ocamllint-exec
semgrep
Author
unknown
Download Count*
License
Executing external programs might lead to comand or argument injection vulnerabilities.
Run Locally
Run in CI
Defintion
rules:
- id: ocamllint-exec
patterns:
- pattern-either:
- pattern: Unix.execve $STR
- pattern: Unix.execvp $STR
- pattern: Unix.execvpe $STR
- pattern: Unix.system $STR
- pattern: Sys.command $STR
- pattern-not: Unix.execve "..."
- pattern-not: Unix.execvp "..."
- pattern-not: Unix.execvpe "..."
- pattern-not: Unix.system "..."
- pattern-not: Sys.command "..."
message: Executing external programs might lead to comand or argument injection
vulnerabilities.
languages:
- ocaml
severity: WARNING
metadata:
category: security
references:
- https://v2.ocaml.org/api/Unix.html
technology:
- ocaml
cwe: "CWE-78: OS Command Injection"
confidence: LOW
likelihood: MEDIUM
impact: HIGH
subcategory:
- audit
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Other
Examples
exec.ml
#load "unix.cma";;
let p = String.concat "ls " [" "; Sys.argv.(1)]
(* ruleid:ocamllint-exec *)
let a = Unix.execve p
(* ruleid:ocamllint-exec *)
let b = Unix.execvp p
(* ruleid:ocamllint-exec *)
let c = Unix.execvpe p
(* ruleid:ocamllint-exec *)
let d = Unix.system p
(* ruleid:ocamllint-exec *)
let e = Sys.command p
Short Link: https://sg.run/wdedd