python.lang.security.audit.dangerous-os-exec-tainted-env-args.dangerous-os-exec-tainted-env-args
returntocorpAuthor
unknown
Download Count*
License
Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.
Run Locally
Run in CI
Defintion
rules:
- id: dangerous-os-exec-tainted-env-args
mode: taint
options:
symbolic_propagation: true
pattern-sources:
- patterns:
- pattern-either:
- patterns:
- pattern-either:
- pattern: os.environ
- pattern: os.environ.get('$FOO', ...)
- pattern: os.environb
- pattern: os.environb.get('$FOO', ...)
- pattern: os.getenv('$ANYTHING', ...)
- pattern: os.getenvb('$ANYTHING', ...)
- patterns:
- pattern-either:
- patterns:
- pattern-either:
- pattern: sys.argv
- pattern: sys.orig_argv
- patterns:
- pattern-inside: |
$PARSER = argparse.ArgumentParser(...)
...
- pattern-inside: |
$ARGS = $PARSER.parse_args()
- pattern: <... $ARGS ...>
- patterns:
- pattern-inside: |
$PARSER = optparse.OptionParser(...)
...
- pattern-inside: |
$ARGS = $PARSER.parse_args()
- pattern: <... $ARGS ...>
- patterns:
- pattern-either:
- pattern-inside: |
$OPTS, $ARGS = getopt.getopt(...)
...
- pattern-inside: |
$OPTS, $ARGS = getopt.gnu_getopt(...)
...
- pattern-either:
- patterns:
- pattern-inside: |
for $O, $A in $OPTS:
...
- pattern: $A
- pattern: $ARGS
pattern-sinks:
- patterns:
- pattern-either:
- patterns:
- pattern-not: os.$METHOD("...", ...)
- pattern: os.$METHOD(...)
- metavariable-regex:
metavariable: $METHOD
regex: (execl|execle|execlp|execlpe|execv|execve|execvp|execvpe)
- patterns:
- pattern-not: os.$METHOD("...", [$PATH,"...","...",...],...)
- pattern-inside: os.$METHOD($BASH,[$PATH,"-c",$CMD,...],...)
- pattern: $CMD
- metavariable-regex:
metavariable: $METHOD
regex: (execv|execve|execvp|execvpe)
- metavariable-regex:
metavariable: $BASH
regex: (.*)(sh|bash|ksh|csh|tcsh|zsh)
- patterns:
- pattern-not: os.$METHOD("...", $PATH, "...", "...",...)
- pattern-inside: os.$METHOD($BASH, $PATH, "-c", $CMD,...)
- pattern: $CMD
- metavariable-regex:
metavariable: $METHOD
regex: (execl|execle|execlp|execlpe)
- metavariable-regex:
metavariable: $BASH
regex: (.*)(sh|bash|ksh|csh|tcsh|zsh)
message: Found user controlled content when spawning a process. This is
dangerous because it allows a malicious actor to execute commands.
metadata:
cwe:
- "CWE-78: Improper Neutralization of Special Elements used in an OS
Command ('OS Command Injection')"
owasp:
- A01:2017 - Injection
- A03:2021 - Injection
references:
- https://semgrep.dev/docs/cheat-sheets/python-command-injection/
asvs:
section: "V5: Validation, Sanitization and Encoding Verification Requirements"
control_id: 5.3.8 OS Command Injection
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements
version: "4"
confidence: MEDIUM
category: security
technology:
- python
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: MEDIUM
impact: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
languages:
- python
severity: ERROR
Examples
dangerous-os-exec-tainted-env-args.py
import os
import sys
from somewhere import something
# ok:dangerous-os-exec-tainted-env-args
os.execl("/foo/bar", "/foo/bar")
# ok:dangerous-os-exec-tainted-env-args
os.execv("/foo/bar", ["/foo/bar", "-a", "-b"])
cmd = something()
# fn:dangerous-os-exec-tainted-env-args
os.execl(cmd, cmd, "--do-smth")
# fn:dangerous-os-exec-tainted-env-args
os.execve("/bin/bash", ["/bin/bash", "-c", something()], os.environ)
# fn:dangerous-os-exec-tainted-env-args
os.execl("/bin/bash", "/bin/bash", "-c", something())
cmd = sys.argv[2]
# ruleid:dangerous-os-exec-tainted-env-args
os.execl("/bin/bash", "/bin/bash", "-c", cmd)
cmd2 = os.environ['BAD']
# ruleid:dangerous-os-exec-tainted-env-args
os.execl("/bin/bash", "/bin/bash", "-c", cmd2)
Short Link: https://sg.run/qL6z