scala.lang.security.audit.scala-dangerous-process-run.scala-dangerous-process-run

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Use Seq(...) for dynamically generated commands.

Run Locally

Run in CI

Defintion

rules:
  - id: scala-dangerous-process-run
    patterns:
      - pattern-either:
          - pattern: $X.!
          - pattern: $X.!!
          - pattern: $X.lazyLines
      - pattern-inside: |
          import sys.process
          ...
      - pattern-not: |
          "...".!
      - pattern-not: |
          "...".!!
      - pattern-not: |
          "...".lazyLines
      - pattern-not: |
          Seq(...).!
      - pattern-not: |
          Seq(...).!!
      - pattern-not: |
          Seq(...).lazyLines
      - pattern-not-inside: |
          val $X = "..."
          ...
      - pattern-not-inside: |
          val $X = Seq(...)
          ...
    message: Found dynamic content used for the external process. This is dangerous
      if arbitrary data can reach this function call because it allows a
      malicious actor to execute commands. Use `Seq(...)` for dynamically
      generated commands.
    languages:
      - scala
    severity: ERROR
    metadata:
      category: security
      cwe:
        - "CWE-78: Improper Neutralization of Special Elements used in an OS
          Command ('OS Command Injection')"
      owasp:
        - A01:2017 - Injection
        - A03:2021 - Injection
      technology:
        - scala
      confidence: LOW
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Command Injection

Examples

scala-dangerous-process-run.scala

import akka.actor.{Props, Actor}
import scala.concurrent.duration._
import akka.pattern.ask

class TestOsCommand {

  def executeCommand(value:String) = Action {
    import sys.process._

    // ruleid: scala-dangerous-process-run
    val result = value.!!
    Ok("Result:\n"+result)
  }

  def executeCommand2(value:String) = Action {
    import sys.process._

    // ruleid: scala-dangerous-process-run
    val result = value !
    Ok("Result:\n"+result)
  }

  def executeCommand3(value:String) = Action {
    import sys.process._

    // ruleid: scala-dangerous-process-run
    val result = value.lazyLines
    Ok("Result:\n"+result)
  }

  def executeCommand4(value:String) = Action {
    import sys.process._

    // ok: scala-dangerous-process-run
    val cmd = "ls -lah"
    val result = cmd.!
    Ok("Result:\n"+result)
  }

  def executeCommand5() = Action {
    import sys.process._

    // ok: scala-dangerous-process-run
    val cmd = Seq("ls", "-lah")
    val result = cmd.!
    Ok("Result:\n"+result)
  }

  def executeCommand6() = Action {
    import sys.process._

    // ok: scala-dangerous-process-run
    val result = Seq("ls", "-lah").!!
    Ok("Result:\n"+result)
  }

  def executeCommand7(sender: Actor) = {
    // ok: scala-dangerous-process-run
    sender ! "FooBar"
  }

}