rust.lang.security.current-exe.current-exe

semgrep

Author

unknown

Download Count*

License

current_exe should not be used for security operations. From the docs: "The output of this function should not be trusted for anything that might have security implications. Basically, if users can run the executable, they can change the output arbitrarily."

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: current-exe
    message: 'current_exe should not be used for security operations. From the docs:
      "The output of this function should not be trusted for anything that might
      have security implications. Basically, if users can run the executable,
      they can change the output arbitrarily."'
    pattern: std::env::current_exe()
    metadata:
      references:
        - https://doc.rust-lang.org/stable/std/env/fn.current_exe.html#security
      technology:
        - rust
      category: security
      cwe: "CWE-807: Reliance on Untrusted Inputs in a Security Decision"
      confidence: HIGH
      likelihood: LOW
      impact: LOW
      subcategory: audit
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Other
    languages:
      - rust
    severity: INFO

Examples

current-exe.rs

use std::env;

// ruleid: current-exe
let exe = env::current_exe();

Short Link: https://sg.run/AW1B