Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-4721

Using shell interpreter when executing OS commands is security-sensitive

    XMLWordPrintable

    Details

    • Message:
      Make sure that using the shell when executing this OS command is safe here.
    • Default Severity:
      Major
    • Impact:
      Low
    • Likelihood:
      High
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      C, C++, Cobol, Go, Kotlin, Objective-C, PL/SQL, Ruby, Rust, Scala, Solidity, Swift, T-SQL
    • Covered Languages:
      ABAP, JavaScript, PHP, Python, TypeScript, VB.Net
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      30min
    • Analysis Level:
      Syntactic Analysis
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-78
    • OWASP:
      A1
    • SANS Top 25:
      Insecure Interaction Between Components

      Description

      Arbitrary OS command injection vulnerabilities are more likely when a shell is spawned rather than a new process, indeed shell meta-chars can be used (when parameters are user-controlled for instance) to inject OS commands.

      Ask Yourself Whether

      • OS command name or parameters are user-controlled.

      There is a risk if you answered yes to this question.

      Recommended Secure Coding Practices

      Use functions that don't spawn a shell.

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-4860 Language-Specification Deprecated Unassigned
          2.
          C# RSPEC-4870 Language-Specification Deprecated Unassigned
          3.
          VB.NET RSPEC-4966 Language-Specification Deprecated Unassigned
          4.
          JavaScript RSPEC-5045 Language-Specification Active Unassigned
          5.
          Python RSPEC-5182 Language-Specification Deprecated Unassigned
          6.
          ABAP RSPEC-5360 Language-Specification Active Unassigned

            Activity

              People

              Assignee:
              eric.therond Eric Therond
              Reporter:
              alexandre.gigleux Alexandre Gigleux
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated: