ruby.lang.security.dangerous-subshell.dangerous-subshell
semgrep
Author
5,552
Download Count*
License
Detected non-static command inside ...
. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.
Run Locally
Run in CI
Defintion
rules:
- id: dangerous-subshell
patterns:
- pattern: |
`...#{$VAL}...`
- pattern-not: |
`...#{"..."}...`
- pattern-not-inside: |
$VAL = "..."
...
message: Detected non-static command inside `...`. If unverified user data can
reach this call site, this is a code injection vulnerability. A malicious
actor can inject a malicious script to execute arbitrary code.
metadata:
cwe:
- "CWE-94: Improper Control of Generation of Code ('Code Injection')"
owasp:
- A03:2021 - Injection
category: security
technology:
- ruby
references:
- https://owasp.org/Top10/A03_2021-Injection
cwe2022-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Code Injection
severity: WARNING
languages:
- ruby
Examples
dangerous-subshell.rb
def test_calls(user_input)
# ruleid: dangerous-subshell
result = `foo #{user_input} bar`
# ruleid: dangerous-subshell
result2 = %x{foo #{user_input} bar}
# ruleid: dangerous-subshell
cmd = `foo #{user_input} bar #{smth_else}`
# ok: dangerous-subshell
smth = `ls testdir`.split[1]
# ok: dangerous-subshell
ok_cmd = `echo oops && exit 99`
hardcode = "testdir"
# ok: dangerous-subshell
ok_cmd2 = %{ls #{hardcode} -lah}
end
Short Link: https://sg.run/NrxL