17 lines
1022 B
Plaintext
17 lines
1022 B
Plaintext
Using command line arguments is security-sensitive. It has led in the past to the following vulnerabilities:
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7281[CVE-2018-7281]
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12326[CVE-2018-12326]
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3198[CVE-2011-3198]
|
|
|
|
Command line arguments can be dangerous just like any other user input. They should never be used without being first validated and sanitized.
|
|
|
|
Remember also that any user can retrieve the list of processes running on a system, which makes the arguments provided to them visible. Thus passing sensitive information via command line arguments should be considered as insecure.
|
|
|
|
This rule raises an issue on every reference to <code>sys.argv</code>, call to <code>optparse.OptionParser()</code> or a call to <code>argparse.ArgumentParser()</code>. The goal is to guide security code reviews.
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
include::../see.adoc[]
|