51369b610e
When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again.
36 lines
1.2 KiB
Plaintext
36 lines
1.2 KiB
Plaintext
Using command line arguments is security-sensitive. It has led in the past to the following vulnerabilities:
|
|
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7281[CVE-2018-7281]
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12326[CVE-2018-12326]
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3198[CVE-2011-3198]
|
|
|
|
Command line arguments can be dangerous just like any other user input. They should never be used without being first validated and sanitized.
|
|
|
|
|
|
Remember also that any user can retrieve the list of processes running on a system, which makes the arguments provided to them visible. Thus passing sensitive information via command line arguments should be considered as insecure.
|
|
|
|
|
|
This rule raises an issue on every reference to ``++sys.argv++``, call to ``++optparse.OptionParser()++`` or a call to ``++argparse.ArgumentParser()++``. The goal is to guide security code reviews.
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|