rspec/rules/S4823/python/rule.adoc

Using command line arguments is security-sensitive. It has led in the past to the following vulnerabilities:

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7281[CVE-2018-7281]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12326[CVE-2018-12326]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3198[CVE-2011-3198]

Command line arguments can be dangerous just like any other user input. They should never be used without being first validated and sanitized.


Remember also that any user can retrieve the list of processes running on a system, which makes the arguments provided to them visible. Thus passing sensitive information via command line arguments should be considered as insecure.


This rule raises an issue on every reference to ``++sys.argv++``, call to ``++optparse.OptionParser()++`` or a call to ``++argparse.ArgumentParser()++``. The goal is to guide security code reviews.

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`Using command line arguments is security-sensitive. It has led in the past to the following vulnerabilities:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7281[CVE-2018-7281]`
			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12326[CVE-2018-12326]`
			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3198[CVE-2011-3198]`

			`Command line arguments can be dangerous just like any other user input. They should never be used without being first validated and sanitized.`

Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`Remember also that any user can retrieve the list of processes running on a system, which makes the arguments provided to them visible. Thus passing sensitive information via command line arguments should be considered as insecure.`

Force linebreaks 2021-02-02 15:02:10 +01:00
make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			This rule raises an issue on every reference to ``++sys.argv++``, call to ``++optparse.OptionParser()++`` or a call to ``++argparse.ArgumentParser()++``. The goal is to guide security code reviews.
Add rules 4000-4999 2020-06-30 12:49:37 +02:00
			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::../comments-and-links.adoc[]`
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`