Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-4828

Signalling processes is security-sensitive

    Details

    • Type: Security Hotspot Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Make sure that sending signals is safe here.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      C, C++, Go, JavaScript, Ruby
    • Covered Languages:
      PHP, Python
    • Irrelevant for Languages:
      CSS, HTML, XML
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-283

      Description

      Signalling processes is security-sensitive. It has led in the past to the following vulnerabilities:

      Sending signals without checking properly which process will receive it can cause a denial of service.

      Ask Yourself Whether

      • the PID of the process to which the signal will be sent is coming from an untrusted source. It could for example come from a world-writable file.
      • users who are asking for the signal to be sent might not have the permission to send those signals.

      There is a risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      • If the signal is sent because of a user's request. Check that the user is allowed to send this signal. You can for example forbid it if the user doesn't own the process.
      • Secure the source from which the process PID is read.
      • Run the process sending the signals with minimal permissions.

      See

        Attachments

          Issue Links

          1.
          PHP RSPEC-5100 Language-Specification Active Unassigned
          2.
          Python RSPEC-5183 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                nicolas.harraudeau Nicolas Harraudeau
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: