ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6350/description.adoc

9 lines
624 B
Plaintext
Raw Normal View History

Create rule S6350: Constructing arguments of system commands from user input is security-sensitive (#260) * Create rule S6350 * Update description * Add code samples * Make stdin more verbose * Make stdin more verbose * Update recommended * Improve description * Extend ask yourself * Add compliant solutions and rename tainted variables * Add input var * Add link to blog post * Use find as example * Update csharp example * Add OWASP Top 10 2021 mapping * add missing message * fix metadata * Use type-safe in_array for PHP Co-authored-by: hendrik-buchwald-sonarsource <hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Hendrik Buchwald <hendrik.buchwald@sonarsource.com> Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: eric-therond-sonarsource <eric.therond@sonarsource.com> Co-authored-by: Roberto Orlandi <71495874+roberto-orlandi-sonarsource@users.noreply.github.com>
2021-11-09 15:01:30 +01:00
Constructing arguments of system commands from user input is security-sensitive. It has led in the past to the following vulnerabilities:
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9920[CVE-2016-9920]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29472[CVE-2021-29472]
Arguments of system commands are processed by the executed program. The arguments are usually used to configure and influence the behavior of the programs.
Control over a single argument might be enough for an attacker to trigger dangerous features like executing arbitrary commands or writing files into specific directories.
Reference in New Issue Copy Permalink