Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-4036

Searching OS commands in PATH is security-sensitive

    Details

    • Type: Security Hotspot Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Make sure the "PATH" used to find this command includes only what you intend.
    • Default Severity:
      Minor
    • Impact:
      Low
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      C, C++, Java, Objective-C, PHP, Python, Swift, VB6
    • Irrelevant for Languages:
      C#, VB.Net
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      15min
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-427, CWE-426
    • OWASP:
      A1

      Description

      When executing an OS command and unless you specify the full path to the executable, then the locations in your application's PATH environment variable will be searched for the executable. That search could leave an opening for an attacker if one of the elements in PATH is a directory under his control.

      Ask Yourself Whether

      • The directories in the PATH environment variable may be defined by not trusted entities.

      There is a risk if you answered yes to this question.

      Recommended Secure Coding Practices

      Fully qualified/absolute path should be used to specify the OS command to execute.

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-5887 Language-Specification Active Unassigned
          2.
          C# RSPEC-5894 Language-Specification Active Unassigned
          3.
          JavaScript RSPEC-5895 Language-Specification Active Unassigned
          4.
          Python RSPEC-5896 Language-Specification Active Unassigned
          5.
          PHP RSPEC-5897 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                ann.campbell.2 Ann Campbell
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: