ruby.lang.security.dangerous-open.dangerous-open

profile photo of semgrepsemgrep
Author
6,314
Download Count*
LGPL Commons Clause
License

Detected non-static command inside 'open'. Audit the input to 'open'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: dangerous-open
    patterns:
      - pattern: |
          open($CMD,...)
      - pattern-not: |
          open("...",...)
      - metavariable-regex:
          metavariable: $CMD
          regex: "|"
    message: Detected non-static command inside 'open'. Audit the input to 'open'.
      If unverified user data can reach this call site, this is a code injection
      vulnerability. A malicious actor can inject a malicious script to execute
      arbitrary code.
    metadata:
      cwe:
        - "CWE-94: Improper Control of Generation of Code ('Code Injection')"
      owasp:
        - A03:2021 - Injection
      category: security
      technology:
        - ruby
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      cwe2022-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Code Injection
    severity: WARNING
    languages:
      - ruby

Examples

dangerous-open.rb

# ok:dangerous-open
cmd = open("|date")
print cmd.gets
cmd.close

filename = "testfile"
# ok:dangerous-open
open(filename) do |f|
  print f.gets
end

# ruleid:dangerous-open
cmd = open("|%s" % user_input)
print cmd.gets
cmd.close

# ruleid:dangerous-open
cmd = open(Kernel::sprintf("|%s", user_input))
print cmd.gets
cmd.close