yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection
semgrepAuthor
unknown
Download Count*
License
Using input or workflow parameters in here-scripts can lead to command injection or code injection. Convert the parameters to env variables instead.
Run Locally
Run in CI
Defintion
rules:
- id: argo-workflow-parameter-command-injection
message: Using input or workflow parameters in here-scripts can lead to command
injection or code injection. Convert the parameters to env variables
instead.
languages:
- yaml
metadata:
category: security
cwe:
- "CWE-78: Improper Neutralization of Special Elements used in an OS
Command ('OS Command Injection')"
- "CWE-94: Improper Control of Generation of Code ('Code Injection')"
owasp:
- A03:2021 – Injection
confidence: MEDIUM
likelihood: MEDIUM
impact: HIGH
subcategory:
- vuln
references:
- https://github.com/argoproj/argo-workflows/issues/5061
- https://github.com/argoproj/argo-workflows/issues/5114#issue-808865370
technology:
- ci
- argo
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Code Injection
- Command Injection
severity: ERROR
patterns:
- pattern-inside: |
apiVersion: $VERSION
...
- metavariable-regex:
metavariable: $VERSION
regex: (argoproj.io.*)
- pattern-either:
- patterns:
- pattern-inside: |
command:
...
- python
...
...
source:
$SCRIPT
- focus-metavariable: $SCRIPT
- metavariable-pattern:
metavariable: $SCRIPT
language: python
patterns:
- pattern: |
$FUNC(..., $PARAM, ...)
- metavariable-pattern:
metavariable: $PARAM
pattern-either:
- pattern-regex: (.*{{.*inputs.parameters.*}}.*)
- pattern-regex: (.*{{.*workflow.parameters.*}}.*)
- patterns:
- pattern-inside: |
command:
...
- $LANG
...
...
source:
$SCRIPT
- metavariable-regex:
metavariable: $LANG
regex: (bash|sh)
- focus-metavariable: $SCRIPT
- metavariable-pattern:
metavariable: $SCRIPT
language: bash
patterns:
- pattern: |
$CMD ... $PARAM ...
- metavariable-pattern:
metavariable: $PARAM
pattern-either:
- pattern-regex: (.*{{.*inputs.parameters.*}}.*)
- pattern-regex: (.*{{.*workflow.parameters.*}}.*)
- patterns:
- pattern-inside: |
container:
...
command: $LANG
...
args: $PARAM
- metavariable-regex:
metavariable: $LANG
regex: .*(sh|bash|ksh|csh|tcsh|zsh).*
- metavariable-pattern:
metavariable: $PARAM
pattern-either:
- pattern-regex: (.*{{.*inputs.parameters.*}}.*)
- pattern-regex: (.*{{.*workflow.parameters.*}}.*)
- focus-metavariable: $PARAM
Examples
argo-workflow-parameter-command-injection.test.yaml
apiVersion: argoproj.io/v1alpha1
kind: WorkflowTemplate
metadata:
generateName: scripts-bash-
spec:
entrypoint: print-message
arguments:
parameters:
- name: message
templates:
- name: print-message
inputs:
parameters:
- name: message
script:
image: debian:9.4
command: [bash]
# ruleid: argo-workflow-parameter-command-injection
source: |
echo {{inputs.parameters.message}}
- name: print-message-sh
inputs:
parameters:
- name: message
script:
image: debian:9.4
command:
- sh
# ruleid: argo-workflow-parameter-command-injection
source: |
echo {{inputs.parameters.message}}
- name: print-message-python
inputs:
parameters:
- name: message
script:
image: debian:9.4
command: [python]
# ruleid: argo-workflow-parameter-command-injection
source: |
print("{{inputs.parameters.message}}")
- name: print-message-args
inputs:
parameters:
- name: message
container:
image: alpine:latest
command: [sh, -c]
# ruleid: argo-workflow-parameter-command-injection
args: ["echo result was: {{inputs.parameters.message}}"]
- name: print-message-secure
inputs:
parameters:
- name: message
script:
image: debian:9.4
env:
name: MESSAGE
value: "{{inputs.parameters.message}}"
command: [bash]
# ok: argo-workflow-parameter-command-injection
source: |
echo $MESSAGE
- name: print-message-args-secure
inputs:
parameters:
- name: message
container:
image: alpine:latest
env:
- name: MESSAGE
value: "{{inputs.parameters.message}}"
command: [sh, -c]
# ok: argo-workflow-parameter-command-injection
args: ["echo result was: $MESSAGE"]
Short Link: https://sg.run/yqeZ