Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

S4036 Searching OS commands in PATH is security-sensitive #2036

Closed
eric-therond-sonarsource opened this issue Jul 14, 2020 · 0 comments · Fixed by #3148
Closed

S4036 Searching OS commands in PATH is security-sensitive #2036

eric-therond-sonarsource opened this issue Jul 14, 2020 · 0 comments · Fixed by #3148
Assignees
@ilia-kebets-sonarsource
Labels
topic: security type: new rule Creating a new rule not existing before
Milestone
9.3

Comments

@eric-therond-sonarsource
Copy link

eric-therond-sonarsource commented Jul 14, 2020
edited
Loading

Implements RSPEC-4036 part of MMF-2106

For both JS/TS

Code examples: https://github.com/SonarSource/security-expected-issues/tree/master/javascript/rules/hotspots/RSPEC-4036

Report on exec*/spawn*:

const cp = require('child_process');

cp.exec('file.exe'); // Sensitive
cp.execSync('file.exe'); // Sensitive
cp.spawn('file.exe'); // Sensitive
cp.spawnSync('file.exe'); // Sensitive
cp.execFile('file.exe'); // Sensitive
cp.execFileSync('file.exe'); // Sensitive

cp.exec('/usr/bin/file.exe'); // Compliant
cp.execSync('/usr/bin/file.exe'); // Compliant
cp.spawn('/usr/bin/file.exe'); // Compliant
cp.spawnSync('/usr/bin/file.exe'); // Compliant
cp.execFile('/usr/bin/file.exe'); // Compliant
cp.execFileSync('/usr/bin/file.exe'); // Compliant

when the first arg is not an absolute path or relative path (ie: the PATH environment variable is used to search the binary).

A check could be to look for the first chars of the string, if different from:

  • ./
  • .\
  • ../
  • ..\
  • /
  • \
  • C:\
@eric-therond-sonarsource eric-therond-sonarsource added the type: new rule Creating a new rule not existing before label Jul 14, 2020
@vilchik-elena vilchik-elena added this to the New Rules milestone Apr 25, 2022
@yassin-kammoun-sonarsource yassin-kammoun-sonarsource modified the milestones: New Rules, 9.3 Apr 29, 2022
Merged
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ilia-kebets-sonarsource ilia-kebets-sonarsource

Labels
topic: security type: new rule Creating a new rule not existing before
Projects
None yet
Milestone
9.3
Development

Successfully merging a pull request may close this issue.

Create rule S4036: Searching OS commands in PATH is security-sensitive SonarSource/SonarJS
4 participants
@vilchik-elena @yassin-kammoun-sonarsource @eric-therond-sonarsource @ilia-kebets-sonarsource