python.aws-lambda.security.dangerous-system-call.dangerous-system-call

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Detected os function with argument tainted by event object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Use the 'subprocess' module instead, which is easier to use without accidentally exposing a command injection vulnerability.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: dangerous-system-call
    mode: taint
    message: Detected `os` function with argument tainted by `event` object. This is
      dangerous if external data can reach this function call because it allows
      a malicious actor to execute commands. Use the 'subprocess' module
      instead, which is easier to use without accidentally exposing a command
      injection vulnerability.
    metadata:
      source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html
      cwe:
        - "CWE-78: Improper Neutralization of Special Elements used in an OS
          Command ('OS Command Injection')"
      owasp:
        - A01:2017 - Injection
        - A03:2021 - Injection
      asvs:
        section: "V5: Validation, Sanitization and Encoding Verification Requirements"
        control_id: 5.2.4 Dyanmic Code Execution Features
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements
        version: "4"
      category: security
      technology:
        - python
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: HIGH
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Command Injection
    languages:
      - python
    severity: ERROR
    pattern-sources:
      - patterns:
          - pattern: event
          - pattern-inside: |
              def $HANDLER(event, context):
                ...
    pattern-sinks:
      - patterns:
          - focus-metavariable: $CMD
          - pattern-either:
              - pattern: os.system($CMD,...)
              - pattern: os.popen($CMD,...)
              - pattern: os.popen2($CMD,...)
              - pattern: os.popen3($CMD,...)
              - pattern: os.popen4($CMD,...)

Examples

dangerous-system-call.py

import os

def handler(event, context):
    # ok: dangerous-system-call
    os.system("ls -al")

    # ok: dangerous-system-call
    os.popen("cat contents.txt")

    # ruleid: dangerous-system-call
    os.system(f"ls -la {event['dir']}")