Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5304

Using environment variables is security-sensitive


    • Type: Security Hotspot Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Make sure that environment variables are used safely here
    • Default Severity:
    • Impact:
    • Likelihood:
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      ABAP, APEX, C#, C, C++, Cobol, CSS, Flex, Go, HTML, JavaScript, Kotlin, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Ruby, Rust, Scala, Solidity, Swift, T-SQL, TypeScript, VB.Net, VB6
    • Covered Languages:
    • Irrelevant for Languages:
    • Analysis Scope:
      Main Sources
    • CWE:
      CWE-526, CWE-74


      Using environment variables is security-sensitive. For example, their use has led in the past to the following vulnerabilities:

      Environment variables are sensitive to injection attacks, just like any other input.

      Note also that environment variables can be exposed in multiple ways, storing sensitive information in them should be done carefully:

      • on Unix systems environment variables of one process can be read by another process running with the same UID.
      • environment variables might be forwarded to child processes.
      • application running in debug mode often exposes their environment variable.

      This rule raises an issue when environment variables are read.

      Ask Yourself Whether

      • Environment variables are used without being sanitized.
      • You store sensitive information in environment variables and other processes might be able to access them.

      You are at risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      Sanitize every environment variable before using its value.

      If you store sensitive information in an environment variable, make sure that no other process can access them, i.e. the process runs with a separate user account and child processes don't have access to their parent's environment.

      Don't run your application in debug mode if it has access to sensitive information, including environment variables.


      • MITRE, CWE-526 - Information Exposure Through Environmental Variables
      • MITRE, CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')


          Issue Links

          Java RSPEC-5315 Language-Specification Active Unassigned



              • Assignee:
                nicolas.harraudeau Nicolas Harraudeau
              • Votes:
                0 Vote for this issue
                1 Start watching this issue


                • Created: