python.lang.security.audit.dangerous-os-exec-tainted-env-args.dangerous-os-exec-tainted-env-args

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.

Run Locally

Run in CI

Defintion

rules:
  - id: dangerous-os-exec-tainted-env-args
    mode: taint
    options:
      symbolic_propagation: true
    pattern-sources:
      - patterns:
          - pattern-either:
              - patterns:
                  - pattern-either:
                      - pattern: os.environ
                      - pattern: os.environ.get('$FOO', ...)
                      - pattern: os.environb
                      - pattern: os.environb.get('$FOO', ...)
                      - pattern: os.getenv('$ANYTHING', ...)
                      - pattern: os.getenvb('$ANYTHING', ...)
              - patterns:
                  - pattern-either:
                      - patterns:
                          - pattern-either:
                              - pattern: sys.argv
                              - pattern: sys.orig_argv
                      - patterns:
                          - pattern-inside: |
                              $PARSER = argparse.ArgumentParser(...)
                              ...
                          - pattern-inside: |
                              $ARGS = $PARSER.parse_args()
                          - pattern: <... $ARGS ...>
                      - patterns:
                          - pattern-inside: |
                              $PARSER = optparse.OptionParser(...)
                              ...
                          - pattern-inside: |
                              $ARGS = $PARSER.parse_args()
                          - pattern: <... $ARGS ...>
                      - patterns:
                          - pattern-either:
                              - pattern-inside: |
                                  $OPTS, $ARGS = getopt.getopt(...)
                                  ...
                              - pattern-inside: |
                                  $OPTS, $ARGS = getopt.gnu_getopt(...)
                                  ...
                          - pattern-either:
                              - patterns:
                                  - pattern-inside: |
                                      for $O, $A in $OPTS:
                                        ...
                                  - pattern: $A
                              - pattern: $ARGS
    pattern-sinks:
      - patterns:
          - pattern-either:
              - patterns:
                  - pattern-not: os.$METHOD("...", ...)
                  - pattern: os.$METHOD(...)
                  - metavariable-regex:
                      metavariable: $METHOD
                      regex: (execl|execle|execlp|execlpe|execv|execve|execvp|execvpe)
              - patterns:
                  - pattern-not: os.$METHOD("...", [$PATH,"...","...",...],...)
                  - pattern-inside: os.$METHOD($BASH,[$PATH,"-c",$CMD,...],...)
                  - pattern: $CMD
                  - metavariable-regex:
                      metavariable: $METHOD
                      regex: (execv|execve|execvp|execvpe)
                  - metavariable-regex:
                      metavariable: $BASH
                      regex: (.*)(sh|bash|ksh|csh|tcsh|zsh)
              - patterns:
                  - pattern-not: os.$METHOD("...", $PATH, "...", "...",...)
                  - pattern-inside: os.$METHOD($BASH, $PATH, "-c", $CMD,...)
                  - pattern: $CMD
                  - metavariable-regex:
                      metavariable: $METHOD
                      regex: (execl|execle|execlp|execlpe)
                  - metavariable-regex:
                      metavariable: $BASH
                      regex: (.*)(sh|bash|ksh|csh|tcsh|zsh)
    message: Found user controlled content when spawning a process. This is
      dangerous because it allows a malicious actor to execute commands.
    metadata:
      cwe:
        - "CWE-78: Improper Neutralization of Special Elements used in an OS
          Command ('OS Command Injection')"
      owasp:
        - A01:2017 - Injection
        - A03:2021 - Injection
      references:
        - https://semgrep.dev/docs/cheat-sheets/python-command-injection/
      asvs:
        section: "V5: Validation, Sanitization and Encoding Verification Requirements"
        control_id: 5.3.8 OS Command Injection
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements
        version: "4"
      confidence: MEDIUM
      category: security
      technology:
        - python
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Command Injection
    languages:
      - python
    severity: ERROR

Examples

dangerous-os-exec-tainted-env-args.py

import os
import sys
from somewhere import something

# ok:dangerous-os-exec-tainted-env-args
os.execl("/foo/bar", "/foo/bar")

# ok:dangerous-os-exec-tainted-env-args
os.execv("/foo/bar", ["/foo/bar", "-a", "-b"])

cmd = something()
# fn:dangerous-os-exec-tainted-env-args
os.execl(cmd, cmd, "--do-smth")

# fn:dangerous-os-exec-tainted-env-args
os.execve("/bin/bash", ["/bin/bash", "-c", something()], os.environ)

# fn:dangerous-os-exec-tainted-env-args
os.execl("/bin/bash", "/bin/bash", "-c", something())

cmd = sys.argv[2]
# ruleid:dangerous-os-exec-tainted-env-args
os.execl("/bin/bash", "/bin/bash", "-c", cmd)

cmd2 = os.environ['BAD']
# ruleid:dangerous-os-exec-tainted-env-args
os.execl("/bin/bash", "/bin/bash", "-c", cmd2)