rspec/rules/S4823/python/rule.adoc

Using command line arguments is security-sensitive. It has led in the past to the following vulnerabilities:

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7281[CVE-2018-7281]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12326[CVE-2018-12326]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3198[CVE-2011-3198]

Command line arguments can be dangerous just like any other user input. They should never be used without being first validated and sanitized.


Remember also that any user can retrieve the list of processes running on a system, which makes the arguments provided to them visible. Thus passing sensitive information via command line arguments should be considered as insecure.


This rule raises an issue on every reference to ``++sys.argv++``, call to ``++optparse.OptionParser()++`` or a call to ``++argparse.ArgumentParser()++``. The goal is to guide security code reviews.

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

include::../see.adoc[]

ifdef::rspecator-view[]
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]
endif::rspecator-view[]
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`Using command line arguments is security-sensitive. It has led in the past to the following vulnerabilities:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7281[CVE-2018-7281]`
			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12326[CVE-2018-12326]`
			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3198[CVE-2011-3198]`

			`Command line arguments can be dangerous just like any other user input. They should never be used without being first validated and sanitized.`

Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`Remember also that any user can retrieve the list of processes running on a system, which makes the arguments provided to them visible. Thus passing sensitive information via command line arguments should be considered as insecure.`

Force linebreaks 2021-02-02 15:02:10 +01:00
make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			This rule raises an issue on every reference to ``++sys.argv++``, call to ``++optparse.OptionParser()++`` or a call to ``++argparse.ArgumentParser()++``. The goal is to guide security code reviews.
Add rules 4000-4999 2020-06-30 12:49:37 +02:00
			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
			`ifdef::rspecator-view[]`
			`== Comments And Links`
			`(visible only on this page)`

			`include::../comments-and-links.adoc[]`
			`endif::rspecator-view[]`