scala.lang.security.audit.scala-dangerous-process-run.scala-dangerous-process-run
returntocorpAuthor
unknown
Download Count*
License
Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Use Seq(...) for dynamically generated commands.
Run Locally
Run in CI
Defintion
rules:
- id: scala-dangerous-process-run
patterns:
- pattern-either:
- pattern: $X.!
- pattern: $X.!!
- pattern: $X.lazyLines
- pattern-inside: |
import sys.process
...
- pattern-not: |
"...".!
- pattern-not: |
"...".!!
- pattern-not: |
"...".lazyLines
- pattern-not: |
Seq(...).!
- pattern-not: |
Seq(...).!!
- pattern-not: |
Seq(...).lazyLines
- pattern-not-inside: |
val $X = "..."
...
- pattern-not-inside: |
val $X = Seq(...)
...
message: Found dynamic content used for the external process. This is dangerous
if arbitrary data can reach this function call because it allows a
malicious actor to execute commands. Use `Seq(...)` for dynamically
generated commands.
languages:
- scala
severity: ERROR
metadata:
category: security
cwe:
- "CWE-78: Improper Neutralization of Special Elements used in an OS
Command ('OS Command Injection')"
owasp:
- A01:2017 - Injection
- A03:2021 - Injection
technology:
- scala
confidence: LOW
references:
- https://owasp.org/Top10/A03_2021-Injection
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Examples
scala-dangerous-process-run.scala
import akka.actor.{Props, Actor}
import scala.concurrent.duration._
import akka.pattern.ask
class TestOsCommand {
def executeCommand(value:String) = Action {
import sys.process._
// ruleid: scala-dangerous-process-run
val result = value.!!
Ok("Result:\n"+result)
}
def executeCommand2(value:String) = Action {
import sys.process._
// ruleid: scala-dangerous-process-run
val result = value !
Ok("Result:\n"+result)
}
def executeCommand3(value:String) = Action {
import sys.process._
// ruleid: scala-dangerous-process-run
val result = value.lazyLines
Ok("Result:\n"+result)
}
def executeCommand4(value:String) = Action {
import sys.process._
// ok: scala-dangerous-process-run
val cmd = "ls -lah"
val result = cmd.!
Ok("Result:\n"+result)
}
def executeCommand5() = Action {
import sys.process._
// ok: scala-dangerous-process-run
val cmd = Seq("ls", "-lah")
val result = cmd.!
Ok("Result:\n"+result)
}
def executeCommand6() = Action {
import sys.process._
// ok: scala-dangerous-process-run
val result = Seq("ls", "-lah").!!
Ok("Result:\n"+result)
}
def executeCommand7(sender: Actor) = {
// ok: scala-dangerous-process-run
sender ! "FooBar"
}
}Short Link: https://sg.run/wZBY