python.lang.security.audit.dangerous-os-exec-audit.dangerous-os-exec-audit

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Found dynamic content when spawning a process. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Ensure no external data reaches here.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: dangerous-os-exec-audit
    message: Found dynamic content when spawning a process. This is dangerous if
      external data can reach this function call because it allows a malicious
      actor to execute commands. Ensure no external data reaches here.
    metadata:
      cwe:
        - "CWE-78: Improper Neutralization of Special Elements used in an OS
          Command ('OS Command Injection')"
      owasp:
        - A01:2017 - Injection
        - A03:2021 - Injection
      references:
        - https://semgrep.dev/docs/cheat-sheets/python-command-injection/
      asvs:
        section: "V5: Validation, Sanitization and Encoding Verification Requirements"
        control_id: 5.3.8 OS Command Injection
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements
        version: "4"
      category: security
      technology:
        - python
      confidence: LOW
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Command Injection
    languages:
      - python
    severity: ERROR
    pattern-either:
      - patterns:
          - pattern-not: os.$METHOD("...", ...)
          - pattern: os.$METHOD(...)
          - metavariable-regex:
              metavariable: $METHOD
              regex: (execl|execle|execlp|execlpe|execv|execve|execvp|execvpe)
      - patterns:
          - pattern-not: os.$METHOD("...", [$PATH,"...","...",...],...)
          - pattern: os.$METHOD($BASH,[$PATH,"-c",$CMD,...],...)
          - metavariable-regex:
              metavariable: $METHOD
              regex: (execv|execve|execvp|execvpe)
          - metavariable-regex:
              metavariable: $BASH
              regex: (.*)(sh|bash|ksh|csh|tcsh|zsh)
      - patterns:
          - pattern-not: os.$METHOD("...", $PATH, "...", "...",...)
          - pattern: os.$METHOD($BASH, $PATH, "-c", $CMD,...)
          - metavariable-regex:
              metavariable: $METHOD
              regex: (execl|execle|execlp|execlpe)
          - metavariable-regex:
              metavariable: $BASH
              regex: (.*)(sh|bash|ksh|csh|tcsh|zsh)

Examples

dangerous-os-exec-audit.py

import os
from somewhere import something

# ok:dangerous-os-exec-audit
os.execl("/foo/bar", "/foo/bar")

# ok:dangerous-os-exec-audit
os.execv("/foo/bar", ["/foo/bar", "-a", "-b"])

cmd = something()
# ruleid:dangerous-os-exec-audit
os.execl(cmd, cmd, '--do-smth')

# ruleid:dangerous-os-exec-audit
os.execve("/bin/bash", ["/bin/bash", "-c", something()], os.environ)

# ruleid:dangerous-os-exec-audit
os.execl("/bin/bash", "/bin/bash", "-c", something())