yaml.github-actions.security.curl-eval.curl-eval

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Data is being eval'd from a curl command. An attacker with control of the server in the curl command could inject malicious code into the eval, resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: curl-eval
    languages:
      - yaml
    message: Data is being eval'd from a `curl` command. An attacker with control of
      the server in the `curl` command could inject malicious code into the
      `eval`, resulting in a system comrpomise. Avoid eval'ing untrusted data if
      you can. If you must do this, consider checking the SHA sum of the content
      returned by the server to verify its integrity.
    metadata:
      category: security
      cwe:
        - "CWE-78: Improper Neutralization of Special Elements used in an OS
          Command ('OS Command Injection')"
      owasp:
        - A01:2017 - Injection
        - A03:2021 - Injection
      references:
        - https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections
      technology:
        - github-actions
        - bash
        - curl
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Command Injection
    patterns:
      - pattern-inside: "steps: [...]"
      - pattern-inside: |
          - run: ...
            ...
      - pattern: "run: $SHELL"
      - metavariable-pattern:
          language: bash
          metavariable: $SHELL
          patterns:
            - pattern: |
                $DATA=<... curl ...>
                ...
                eval <... $DATA ...>
    severity: ERROR

Examples

curl-eval.test.yaml

name: Build and deploy Semgrep scanner lambda

on:
  workflow_dispatch:
  push:
    branches: develop

jobs:
  docker-build:
    runs-on: ubuntu-latest
    env:
      workdir: lambdas/run-semgrep
    steps:
      - uses: actions/checkout@v2
      - name: Build Docker image
        working-directory:
          ${{ env.workdir }}/src
          # ok: curl-eval
        run: docker build -t semgrep-scanner:latest .
      - name:
          blah
          # ruleid: curl-eval
        run: |
          CONTENTS=$(curl https://blah.com)
          eval $CONTENTS