Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[java] Rule Request: UnnecessaryShellCommand #1478

Open
mcandre opened this issue Nov 20, 2018 · 3 comments
Open

[java] Rule Request: UnnecessaryShellCommand #1478

mcandre opened this issue Nov 20, 2018 · 3 comments
Labels
a:new-rule Proposal to add a new built-in rule a:suggestion An idea, with little analysis on feasibility, to be considered

Comments

@mcandre
Copy link

mcandre commented Nov 20, 2018

As an engineer, I want to be warned early when my application code is trying to shell out for things that libraries already provide, such as:

  • curl/wget (Can probably use a URL request)
  • sed/awk/gawk/nawk (Can just use a regular expression)
  • jq (Can use a JSON marshaller)

This rule would encourage more performant applications, remove dependencies on unnecessary software components, reduce attack surfaces, and increase cross-platform support, by avoiding relying on platform-specific shell command syntax.

Example triggers:

  • Supplying a process object with a launch path ending with curl, wget, sed, awk, jq, jq.exe, etc.

Example non-triggers:

  • Supplying a process object with an argument of curl, wget, sed, awk, jq, jq.exe, etc. While there are plenty of cases where these would constitute unnecessary shell commands, such as /usr/bin/env curl... or exec wget..., the false positives for such commands are unfortunately more numerous than the true positives.

This rule should contain a limited number of common shell commands, such as those listed above. We can add more over time. Configuration for this rule should be able to customize which of these command patterns is relevant to the user's application needs.

As a security concern, this rule can reasonably become a default rule, as shelling out introduces additional security risks, including shell injections, compared to sticking to pure library code.

I would be happy to see this rule be included in PMD's available suite of checks, and if we find we're happy to apply it in a lot of places, then we can always turn it on by default later.
@adangel
Copy link
Member

adangel commented Nov 25, 2018

@mcandre This sounds interesting.
Which language do you have in mind? Should this rule find such unnecessary shell commands from within Java code?

Or in other words: Should Java code like this for example

Runtime.getRuntime().exec("curl https://www.google.de");

be flagged?

@adangel adangel added a:suggestion An idea, with little analysis on feasibility, to be considered a:new-rule Proposal to add a new built-in rule labels Nov 25, 2018
@mcandre
Copy link
Author

mcandre commented Mar 2, 2019

We could encourage a lot better software with a basic set of blacklists: Invoking curl or wget with Runtime exec is no bueno.

@jsotuyod jsotuyod changed the title Rule Request: UnnecessaryShellCommand [java] Rule Request: UnnecessaryShellCommand Apr 1, 2019
@php-coder
Copy link

One more candidate: unzip

Ideally, the list should be configurable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
a:new-rule Proposal to add a new built-in rule a:suggestion An idea, with little analysis on feasibility, to be considered
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mcandre @php-coder @adangel