ruby.lang.security.dangerous-syscall.dangerous-syscall

profile photo of semgrepsemgrep
Author
6,314
Download Count*
LGPL Commons Clause
License

'syscall' is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit more portable programming.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: dangerous-syscall
    pattern: |
      syscall
    message: "'syscall' is essentially unsafe and unportable. The DL
      (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit
      more portable programming."
    metadata:
      cwe:
        - "CWE-94: Improper Control of Generation of Code ('Code Injection')"
      owasp:
        - A03:2021 - Injection
      category: security
      technology:
        - ruby
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      cwe2022-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Code Injection
    severity: WARNING
    languages:
      - ruby

Examples

dangerous-syscall.rb

def test
  # ruleid:dangerous-syscall
  syscall 4, 1, "hello\n", 6   # '4' is write(2) on our box
end