fix: update subcommand (#185)

Bearer · Dec 14, 2023 · f9defd2 · f9defd2
1 parent 94c49a3
commit f9defd2
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 1 deletion.
diff --git a/rules/go/gosec/subproc/subproc.yml b/rules/go/gosec/subproc/subproc.yml
@@ -7,7 +7,7 @@ patterns:
       - variable: INPUT
         detection: go_shared_lang_dynamic_request_input
   - pattern: |
-      exec.Command($<INPUT>$<...>)
+      exec.Command($<...>$<INPUT>$<...>)
     filters:
       - variable: INPUT
         detection: go_shared_lang_dynamic_request_input

diff --git a/tests/go/gosec/subproc/subproc/__snapshots__/test.js.snap b/tests/go/gosec/subproc/subproc/__snapshots__/test.js.snap
@@ -274,6 +274,40 @@ exports[`go_gosec_subproc_subproc test 1`] = `
       "fingerprint": "9f7b927d8c9e1a6c92e17fb2d6db3b18_7",
       "old_fingerprint": "c7b747c46d0e283c15b7386a8c801ea8_7",
       "code_extract": "\\terr := exec.CommandContext(context.Background(), os.Args[0], \\"5\\").Run()"
+    },
+    {
+      "cwe_ids": [
+        "95"
+      ],
+      "id": "go_gosec_subproc_subproc",
+      "title": "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')",
+      "description": "## Description\\n\\nOS command injection is a perilous vulnerability that has the potential to lead to full system compromise. Adversaries may exploit this flaw by feeding arbitrary commands or arguments intended for execution. This opens the door for unchecked operations, which could wreak havoc on the system or reveal sensitive information.\\n\\n## Remediations\\n\\n✅ Avoid User Input in OS Commands\\n\\nAlways steer clear of incorporating user input when formulating commands or their arguments, especially for functions responsible for OS command execution. This includes, but is not limited to, filenames provided during user uploads/downloads.\\n\\n✅ Hardcoded Argument Set\\n\\nEnsure your application exclusively uses a hardcoded set of arguments for OS command executions. If filenames are being passed to such functions, consider adopting a hash of the filename or another distinctive identifier.\\n\\n✅ Opt for Native Libraries\\n\\nDue to the inherent risks associated with third-party commands and the possibility of undisclosed attack vectors, prefer using native libraries that offer the same capabilities as opposed to resorting to OS system commands.\\n\\n✅ Specify Full Path in Windows\\n\\nIf the environment is Windows-based, always provide the complete path information when denoting the OS command. This circumvents potential vulnerabilities stemming from untrusted search paths (CWE-426).\\n\\n\`\`\`go\\nuserData := []byte(\\"user data\\")\\n// create a temporary file in the application-specific directory\\nf, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\nif err != nil {\\n  log.Fatal(err)\\n}\\n\\nif _, err := f.Write(userData); err != nil {\\n  log.Fatal(err)\\n}\\n\\nif err := f.Close(); err != nil {\\n  log.Fatal(err)\\n}\\n\\n// use the absolute path to the binary and the name of the temporary file\\n// steering clear of any user-provided filenames\\nout, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\nif err != nil {\\n  log.Fatal(err)\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n",
+      "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_subproc_subproc",
+      "line_number": 127,
+      "full_filename": "/tmp/bearer-scan/main.go",
+      "filename": ".",
+      "source": {
+        "start": 127,
+        "end": 127,
+        "column": {
+          "start": 14,
+          "end": 51
+        }
+      },
+      "sink": {
+        "start": 127,
+        "end": 127,
+        "column": {
+          "start": 14,
+          "end": 51
+        },
+        "content": "exec.Command(\\"sh\\", \\"-c\\", commandLine)"
+      },
+      "parent_line_number": 127,
+      "snippet": "exec.Command(\\"sh\\", \\"-c\\", commandLine)",
+      "fingerprint": "9f7b927d8c9e1a6c92e17fb2d6db3b18_8",
+      "old_fingerprint": "c7b747c46d0e283c15b7386a8c801ea8_8",
+      "code_extract": "\\tres, err := exec.Command(\\"sh\\", \\"-c\\", commandLine).Output()"
     }
   ]
 }"

diff --git a/tests/go/gosec/subproc/subproc/testdata/main.go b/tests/go/gosec/subproc/subproc/testdata/main.go
@@ -120,3 +120,14 @@ func foo14() {
 	}
 	log.Printf("Command finished with error: %v", err)
 }
+
+func foo15(arg string) (results string, err error) {
+	commandLine := "mysql -h mysql -u root -prootwolf -e 'select adminsid from vulnapp.adminsessions where adminsessionid=\"" + arg + "\";'"
+
+	res, err := exec.Command("sh", "-c", commandLine).Output()
+	if err != nil {
+		fmt.Println(err)
+	}
+
+	return string(res), nil
+}