Rule Request: UnnecessaryShellCommand

[mcandre]

New Issue Checklist

• Updated SwiftLint to the latest version
• I searched for existing GitHub issues

New rule request

As an engineer, I want to be warned early when my Swift code is trying to shell out for things that Swift libraries already provide, such as:

• curl/wget (Can probably use URLRequest)
• sed/awk/gawk/nawk (Can use NSRegularExpression)
• jq (Can use JSONSerialization)

This rule would encourage more performant applications, remove dependencies on unnecessary software components, reduce attack surfaces, and increase cross-platform support, by avoiding relying on platform-specific shell command syntax.

Example triggers:

• Supplying a Process object with a launchPath ending with curl, wget, sed, awk, jq, jq.exe, etc.

Example non-triggers:

• Supplying a Process object with an argument of curl, wget, sed, awk, jq, jq.exe, etc.

This rule should contain a limited number of common shell commands, such as those listed above. We can add more over time. Configuration for this rule should be able to customize which of these command patterns is relevant to the user's Swift project.

As a security concern, this rule can reasonably become a default rule, as shelling out introduces additional security risks, including shell injections, compared to sticking to pure Swift code.

I would be happy to see this rule be included in Swift's available suite of checks, and if we find we're happy to apply it in a lot of places, then we can always turn it on by default later.

[marcelofabri]

@mcandre Is this something you're interested in working on? Let me know if you need help!