python.sh.security.string-concat.string-concat

profile photo of semgrepsemgrep
Author
7,353
Download Count*
LGPL Commons Clause
License

Detected string concatenation or formatting in a call to a command via 'sh'. This could be a command injection vulnerability if the data is user-controlled. Instead, use a list and append the argument.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: string-concat
    languages:
      - python
    severity: ERROR
    message: Detected string concatenation or formatting in a call to a command via
      'sh'. This could be a command injection vulnerability if the data is
      user-controlled. Instead, use a list and append the argument.
    metadata:
      cwe:
        - "CWE-78: Improper Neutralization of Special Elements used in an OS
          Command ('OS Command Injection')"
      owasp:
        - A01:2017 - Injection
        - A03:2021 - Injection
      category: security
      technology:
        - sh
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Command Injection
    pattern-either:
      - pattern: sh.$BIN($X + $Y)
      - pattern: sh.$BIN($X.format(...))
      - pattern: sh.$BIN(f"...{...}...")

Examples

string-concat.py

import sh

long = os.environ.get("LONG", "")
# ruleid: string-concat
sh.ls("-a" + long)

# ok: string-concat
sh.ls("-al")

# ok: string-concat
sh.semgrep("--config", "https://semgrep.dev/p/r2c-CI")

confurl = os.environ.get("SEMGREP_CONFIG_URL", "")
# ruleid: string-concat
sh.semgrep("--config {}".format(confurl))

# ruleid: string-concat
sh.semgrep(f"--config {confurl}")

# ok: string-concat
args = ["--config", confurl]
sh.semgrep(*args)