python.aws-lambda.security.dangerous-spawn-process.dangerous-spawn-process
semgrepAuthor
unknown
Download Count*
License
Detected os function with argument tainted by event object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Ensure no external data reaches here.
Run Locally
Run in CI
Defintion
rules:
- id: dangerous-spawn-process
mode: taint
message: Detected `os` function with argument tainted by `event` object. This is
dangerous if external data can reach this function call because it allows
a malicious actor to execute commands. Ensure no external data reaches
here.
metadata:
source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html
cwe:
- "CWE-78: Improper Neutralization of Special Elements used in an OS
Command ('OS Command Injection')"
owasp:
- A01:2017 - Injection
- A03:2021 - Injection
asvs:
section: "V5: Validation, Sanitization and Encoding Verification Requirements"
control_id: 5.3.8 OS Command Injection
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements
version: "4"
category: security
technology:
- python
- aws-lambda
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
references:
- https://owasp.org/Top10/A03_2021-Injection
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: HIGH
impact: MEDIUM
confidence: MEDIUM
vulnerability_class:
- Command Injection
languages:
- python
severity: ERROR
pattern-sources:
- patterns:
- pattern: event
- pattern-inside: |
def $HANDLER(event, context):
...
pattern-sinks:
- patterns:
- focus-metavariable: $CMD
- pattern-either:
- patterns:
- pattern: os.$METHOD($MODE, $CMD, ...)
- metavariable-regex:
metavariable: $METHOD
regex: (spawnl|spawnle|spawnlp|spawnlpe|spawnv|spawnve|spawnvp|spawnvp|spawnvpe|posix_spawn|posix_spawnp|startfile)
- patterns:
- pattern-inside: os.$METHOD($MODE, $BASH, ["-c", $CMD,...],...)
- metavariable-regex:
metavariable: $METHOD
regex: (spawnv|spawnve|spawnvp|spawnvp|spawnvpe|posix_spawn|posix_spawnp)
- metavariable-regex:
metavariable: $BASH
regex: (.*)(sh|bash|ksh|csh|tcsh|zsh)
- patterns:
- pattern-inside: os.$METHOD($MODE, $BASH, "-c", $CMD,...)
- metavariable-regex:
metavariable: $METHOD
regex: (spawnl|spawnle|spawnlp|spawnlpe)
- metavariable-regex:
metavariable: $BASH
regex: (.*)(sh|bash|ksh|csh|tcsh|zsh)
Examples
dangerous-spawn-process.py
import os
import shlex
from somewhere import something
def handler(event, context):
# ok:dangerous-spawn-process
os.spawnlp(os.P_WAIT, "ls")
# ok:dangerous-spawn-process
os.spawnlpe(os.P_WAIT, "ls")
# ok:dangerous-spawn-process
os.spawnv(os.P_WAIT, "/bin/ls")
# ok:dangerous-spawn-process
os.spawnve(os.P_WAIT, "/bin/ls", ["-a"], os.environ)
# ruleid:dangerous-spawn-process
os.spawnlp(os.P_WAIT, event['cmd'])
# ruleid:dangerous-spawn-process
os.spawnlpe(os.P_WAIT, event['cmd'])
# ruleid:dangerous-spawn-process
os.spawnv(os.P_WAIT, f"foo-{event['cmd']}")
# ruleid:dangerous-spawn-process
os.spawnve(os.P_WAIT, event['cmd'], ["-a"], os.environ)
# ruleid:dangerous-spawn-process
os.spawnve(os.P_WAIT, "/bin/bash", ["-c", f"ls -la {event['cmd']}"], os.environ)
# ruleid:dangerous-spawn-process
os.spawnl(os.P_WAIT, "/bin/bash", "-c", f"ls -la {event['cmd']}")
# ruleid:dangerous-spawn-process
os.spawnl(os.P_WAIT, "/bin/bash", "-c", event['cmd'])
Short Link: https://sg.run/2AjL