Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-4721

Executing OS commands is security-sensitive

    Details

    • Message:
      Make sure that executing this OS command is safe here.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      C, C++, Cobol, Go, Kotlin, Objective-C, PL/SQL, Ruby, Rust, Scala, Solidity, Swift, T-SQL, TypeScript
    • Covered Languages:
      ABAP, C#, Java, JavaScript, PHP, Python, VB.Net
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      30min
    • Analysis Level:
      Syntactic Analysis
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-78
    • OWASP:
      A1
    • SANS Top 25:
      Insecure Interaction Between Components

      Description

      OS commands are security-sensitive. For example, their use has led in the past to the following vulnerabilities:

      Applications that execute operating system commands or execute commands that interact with the underlying system should neutralize any externally-provided input used to construct those commands. Failure to do so could allow an attacker to execute unexpected or dangerous commands, potentially leading to loss of confidentiality, integrity or availability.

      This rule flags code that specifies the name of the command to run. The goal is to guide security code reviews.

      Ask Yourself Whether

      • the executed command is constructed by input that is externally-influenced, for example, user input (attacker).
      • the command execution is not restricted to the right users.
      • the application can be redesigned to not rely on external input to execute the command.

      You are at risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      Restrict the control given to the user over the executed command:

      • make the executed command part of a whitelist and reject all commands not part of this list.
      • sanitize the user input.

      Restrict which users can have access to the command:

      • use a firewall to protect the process running the code, and to protect the network from the command.
      • authenticate the user and allow only some users to run the command.

      Reduce the damage the command can do:

      • execute the code in a sandbox environment that enforces strict boundaries between the operating system and the process. For example: a "jail".
      • refuse to run the command if the process has too many privileges. For example: forbid running the code as "root".

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-4860 Language-Specification Deprecated Unassigned
          2.
          C# RSPEC-4870 Language-Specification Active Unassigned
          3.
          VB.NET RSPEC-4966 Language-Specification Deprecated Unassigned
          4.
          JavaScript RSPEC-5045 Language-Specification Active Unassigned
          5.
          Python RSPEC-5182 Language-Specification Active Unassigned
          6.
          ABAP RSPEC-5360 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                alexandre.gigleux Alexandre Gigleux
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: