ruby.lang.security.dangerous-open3-pipeline.dangerous-open3-pipeline
semgrepAuthor
6,314
Download Count*
License
Detected non-static command inside $PIPE. Audit the input to '$PIPE'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.
Run Locally
Run in CI
Defintion
rules:
- id: dangerous-open3-pipeline
patterns:
- pattern: |
Open3.$PIPE(...)
- pattern-not: |
Open3.$PIPE(...,"...",...)
- metavariable-regex:
metavariable: $PIPE
regex: ^(pipeline|pipeline_r|pipeline_rw|pipeline_start|pipeline_w)$
message: Detected non-static command inside $PIPE. Audit the input to '$PIPE'.
If unverified user data can reach this call site, this is a code injection
vulnerability. A malicious actor can inject a malicious script to execute
arbitrary code.
metadata:
cwe:
- "CWE-94: Improper Control of Generation of Code ('Code Injection')"
owasp:
- A03:2021 - Injection
category: security
technology:
- ruby
references:
- https://owasp.org/Top10/A03_2021-Injection
cwe2022-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Code Injection
severity: WARNING
languages:
- ruby
Examples
dangerous-open3-pipeline.rb
require 'open3'
fname = "/usr/share/man/man1/ruby.1.gz"
# ok:dangerous-open3-pipeline
p Open3.pipeline(["zcat", fname], "nroff -man", "less")
fname = "/usr/share/man/man1/ls.1.gz"
# ok:dangerous-open3-pipeline
Open3.pipeline(["zcat", fname], "nroff -man", "colcrt")
# ok:dangerous-open3-pipeline
Open3.pipeline("sort", "uniq -c", :in=>"names.txt", :out=>"count")
r,w = IO.pipe
w.print "ibase=14\n10\n"
# ok:dangerous-open3-pipeline
Open3.pipeline("bc", "tee /dev/tty", :in=>r, :out=>w)
pdf_file = "paper.pdf"
# ruleid:dangerous-open3-pipeline
Open3.pipeline(["pdftops", pdf_file, "-"], ["lpr", "-P#{user_input}"])
Short Link: https://sg.run/B4jv