Uploaded image for project: 'SonarPython'
  1. SonarPython
  2. SONARPY-826

Rule S2612: Setting loose POSIX file permissions is security-sensitive

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.3
    • Component/s: Rules
    • Labels:

      Description

      General

      • if a mode can not be resolved no issue should be raised

      chmod, lchmod, fchmod

      If constants are used, should raise when one of the following is present:

      • stat.S_IRWXO
      • stat.S_IROTH
      • stat.S_IWOTH
      • stat.S_IXOTH

      If numerical, should raise when the mode as decimal value modulo 8 does not equal zero (mode%8 != 0). Normally people use octal to specify the mode but this is not necessary.

      Noncompliant Code Example

      os.chmod("foo", 0o777)  # Sensitive
      os.chmod("foo", 0o007)  # Sensitive
      os.chmod("foo", 511)  # Sensitive
      os.chmod("foo", 750)  # Sensitive
      os.lchmod("foo", 0o777)  # Sensitive
      os.fchmod(fd, 0o777)  # Sensitive
      

      Compliant Code Example

      os.chmod("foo", 0)  # Compliant
      os.chmod("foo", 0o750)  # Compliant
      os.lchmod("foo", 0o770)  # Compliant
      os.fchmod(fd, 0o770)  # Compliant
      os.chmod("foo", mode)  # Compliant (unknown)
      

      umask

      Should raise when the mask as decimal value modulo 8 does not equal seven (mode%8 != 7). Normally people use octal to specify the mask but this is not necessary.

      Noncompliant Code Example

      os.umask(0)  # Sensitive
      os.umask(0o750)  # Sensitive
      

      Compliant Code Example

      os.umask(0o777)  # Compliant
      os.umask(0o007)  # Compliant
      os.umask(mask)  # Compliant (unknown)
      

      Code samples: https://github.com/SonarSource/security-expected-issues/tree/master/python/rules/hotspots/RSPEC-2612

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              guillaume.dequenne Guillaume Dequenne
              Reporter:
              hendrik.buchwald Hendrik Buchwald
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Due:
                Created:
                Updated:
                Resolved: