python.sh.security.string-concat.string-concat
semgrep
Author
7,353
Download Count*
License
Detected string concatenation or formatting in a call to a command via 'sh'. This could be a command injection vulnerability if the data is user-controlled. Instead, use a list and append the argument.
Run Locally
Run in CI
Defintion
rules:
- id: string-concat
languages:
- python
severity: ERROR
message: Detected string concatenation or formatting in a call to a command via
'sh'. This could be a command injection vulnerability if the data is
user-controlled. Instead, use a list and append the argument.
metadata:
cwe:
- "CWE-78: Improper Neutralization of Special Elements used in an OS
Command ('OS Command Injection')"
owasp:
- A01:2017 - Injection
- A03:2021 - Injection
category: security
technology:
- sh
references:
- https://owasp.org/Top10/A03_2021-Injection
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Command Injection
pattern-either:
- pattern: sh.$BIN($X + $Y)
- pattern: sh.$BIN($X.format(...))
- pattern: sh.$BIN(f"...{...}...")
Examples
string-concat.py
import sh
long = os.environ.get("LONG", "")
# ruleid: string-concat
sh.ls("-a" + long)
# ok: string-concat
sh.ls("-al")
# ok: string-concat
sh.semgrep("--config", "https://semgrep.dev/p/r2c-CI")
confurl = os.environ.get("SEMGREP_CONFIG_URL", "")
# ruleid: string-concat
sh.semgrep("--config {}".format(confurl))
# ruleid: string-concat
sh.semgrep(f"--config {confurl}")
# ok: string-concat
args = ["--config", confurl]
sh.semgrep(*args)
Short Link: https://sg.run/Wg34