rust.lang.security.args.args

returntocorp

Author

unknown

Download Count*

License

args should not be used for security operations. From the docs: "The first element is traditionally the path of the executable, but it can be set to arbitrary text, and might not even exist. This means this property should not be relied upon for security purposes."

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: args
    message: 'args should not be used for security operations. From the docs: "The
      first element is traditionally the path of the executable, but it can be
      set to arbitrary text, and might not even exist. This means this property
      should not be relied upon for security purposes."'
    pattern: std::env::args()
    metadata:
      references:
        - https://doc.rust-lang.org/stable/std/env/fn.args.html
      technology:
        - rust
      category: security
      cwe: "CWE-807: Reliance on Untrusted Inputs in a Security Decision"
      confidence: HIGH
      likelihood: LOW
      impact: LOW
      subcategory: audit
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - rust
    severity: INFO

Examples

args.rs

use std::env;

// ruleid: args
let args = env::args()

Short Link: https://sg.run/RADN