ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call
semgrepAuthor
unknown
Download Count*
License
Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.
Run Locally
Run in CI
Defintion
rules:
- id: avoid-tainted-shell-call
metadata:
owasp:
- A01:2017 - Injection
- A03:2021 - Injection
cwe:
- "CWE-78: Improper Neutralization of Special Elements used in an OS
Command ('OS Command Injection')"
references:
- https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown
category: security
technology:
- rails
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: HIGH
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Command Injection
message: Using user input when accessing files is potentially dangerous. A
malicious actor could use this to modify or access files they have no
right to.
languages:
- ruby
severity: ERROR
mode: taint
pattern-sources:
- pattern-either:
- pattern: params[...]
- pattern: cookies
- pattern: request.env
pattern-sinks:
- patterns:
- pattern-either:
- patterns:
- pattern: Kernel.$X(...)
- patterns:
- pattern-either:
- pattern: Shell.$X(...)
- patterns:
- pattern-inside: |
$SHELL = Shell.$ANY(...)
...
$SHELL.$X(...)
- pattern: $SHELL.$X(...)
- metavariable-pattern:
metavariable: $X
patterns:
- pattern-either:
- pattern: cat
- pattern: chdir
- pattern: chroot
- pattern: delete
- pattern: entries
- pattern: exec
- pattern: foreach
- pattern: glob
- pattern: install
- pattern: lchmod
- pattern: lchown
- pattern: link
- pattern: load
- pattern: load_file
- pattern: makedirs
- pattern: move
- pattern: new
- pattern: open
- pattern: read
- pattern: readlines
- pattern: rename
- pattern: rmdir
- pattern: safe_unlink
- pattern: symlink
- pattern: syscopy
- pattern: sysopen
- pattern: system
- pattern: truncate
- pattern: unlink
Examples
avoid-tainted-shell-call.rb
def foo
# ruleid: avoid-tainted-shell-call
Shell.cat(params[:filename])
sh = Shell.cd("/tmp")
# ruleid: avoid-tainted-shell-call
sh.open(params[:filename])
sh = Shell.new
fn = params[:filename]
# ruleid: avoid-tainted-shell-call
sh.open(fn)
# ok: avoid-tainted-shell-call
Shell.cat("/var/log/www/access.log")
end
def foo2(param1)
# ok: avoid-tainted-shell-call
new(params).call
end
def foo3(param1, param2, param3)
# ok: avoid-tainted-shell-call
new(param1, params2, param3).execute
end
def foo4(param1, param2)
# ok: avoid-tainted-shell-call
new(param1, param2).execute
end
def foo5(param1, param2, param3)
# ok: avoid-tainted-shell-call
new(param1, param2, param3).execute
end
Short Link: https://sg.run/4e8E