#bash

Rulesets (1)

reverse-shells

Kurt Boberg

Rulset for reverse shells, by Kurt Boberg

Rules (8)

bash.lang.correctness.unquoted-expansion.unquoted-variable-expansion-in-command

semgrep

bash

Variable expansions must be double-quoted so as to prevent being split into multiple pieces according to whitespace or whichever separator is specified by the IFS variable. If you really wish to split the variable's contents, you may use a variable that starts with an underscore e.g. $_X instead of $X, and semgrep will ignore it. If what you need is an array, consider using a proper bash array.

bash.lang.correctness.unquoted-expansion.unquoted-command-substitution-in-command

semgrep

bash

The result of command substitution $(...) or `...`, if unquoted, is split on whitespace or other separators specified by the IFS variable. You should surround it with double quotes to avoid splitting the result.

bash.lang.best-practice.iteration-over-ls-output.iteration-over-ls-output

semgrep

bash

Iterating over ls output is fragile. Use globs, e.g. 'dir/*' instead of '$(ls dir)'.

bash.curl.security.curl-pipe-bash.curl-pipe-bash

semgrep

bash

Data is being piped into `bash` from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the pipe, resulting in a system compromise. Avoid piping untrusted data into `bash` or any other shell if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.

generic.unicode.security.bidi.contains-bidirectional-characters

semgrep

This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.

bash.curl.security.curl-eval.curl-eval

semgrep

bash

Data is being eval'd from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.

bash.lang.best-practice.useless-cat.useless-cat

semgrep

bash

Useless call to 'cat' in a pipeline. Use '<' and '>' for any command to read from a file or write to a file.

bash.lang.security.ifs-tampering.ifs-tampering

semgrep

bash

The special variable IFS affects how splitting takes place when expanding unquoted variables. Don't set it globally. Prefer a dedicated utility such as 'cut' or 'awk' if you need to split input data. If you must use 'read', set IFS locally using e.g. 'IFS="," read -a my_array'.