ruby.lang.security.dangerous-syscall.dangerous-syscall
semgrep
Author
6,314
Download Count*
License
'syscall' is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit more portable programming.
Run Locally
Run in CI
Defintion
rules:
- id: dangerous-syscall
pattern: |
syscall
message: "'syscall' is essentially unsafe and unportable. The DL
(https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit
more portable programming."
metadata:
cwe:
- "CWE-94: Improper Control of Generation of Code ('Code Injection')"
owasp:
- A03:2021 - Injection
category: security
technology:
- ruby
references:
- https://owasp.org/Top10/A03_2021-Injection
cwe2022-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Code Injection
severity: WARNING
languages:
- ruby
Examples
dangerous-syscall.rb
def test
# ruleid:dangerous-syscall
syscall 4, 1, "hello\n", 6 # '4' is write(2) on our box
end
Short Link: https://sg.run/DJkv