Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-4828

Signalling processes is security-sensitive

    Details

    • Type: Security Hotspot Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Make sure that sending signals is safe here.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way, MISRA C++ 2008 recommended
    • Targeted languages:
      C, C++, Go, JavaScript, Ruby
    • Covered Languages:
      PHP, Python
    • Irrelevant for Languages:
      CSS, HTML, XML
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-283

      Description

      Signalling processes is security-sensitive. It has led in the past to the following vulnerabilities:

      Sending signals without checking properly which process will receive it can cause a denial of service.

      Ask Yourself Whether

      • the PID of the process to which the signal will be sent is coming from an untrusted source. It could for example come from a world-writable file.
      • users who are asking for the signal to be sent might not have the permission to send those signals.

      You are at risk if you answered yes to any of these questions.

      Recommended Secure Coding Practices

      • If the signal is sent because of a user's request. Check that the user is allowed to send this signal. You can for example forbid it if the user doesn't own the process.
      • Secure the source from which the process PID is read.
      • Run the process sending the signals with minimal permissions.

      See

        Attachments

          Issue Links

          1.
          PHP RSPEC-5100 Language-Specification Active Unassigned
          2.
          Python RSPEC-5183 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                nicolas.harraudeau Nicolas Harraudeau
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: