From 2298f36969f175908d2f0235efa8bdf2686c7f9b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Fabianski?= Date: Wed, 31 Jan 2024 16:56:29 +0100 Subject: [PATCH] fix: snapshots --- .../__snapshots__/test.js.snap | 16 ++++++++-------- .../subproc/subproc/__snapshots__/test.js.snap | 18 +++++++++--------- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/tests/go/gosec/injection/subproc_injection/__snapshots__/test.js.snap b/tests/go/gosec/injection/subproc_injection/__snapshots__/test.js.snap index e22997f09..f056409ac 100644 --- a/tests/go/gosec/injection/subproc_injection/__snapshots__/test.js.snap +++ b/tests/go/gosec/injection/subproc_injection/__snapshots__/test.js.snap @@ -9,7 +9,7 @@ exports[`go_gosec_injection_subproc_injection test 1`] = ` ], "id": "go_gosec_injection_subproc_injection", "title": "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "description": "## Description\\n\\nOS command injection is a severe security vulnerability that occurs when an application incorrectly processes user input. This flaw can allow attackers to execute arbitrary commands on the host operating system, potentially leading to a full system compromise.\\n\\n## Remediations\\n\\nPrevent OS command injection by adhering to the following practices:\\n\\n❌ Avoid Direct User Input\\n\\nDo not use user-supplied information for constructing OS commands or command-line arguments, as this can lead to command injection vulnerabilities.\\n\\n✅ Implement Input Validation\\n\\nEnsure that any user input is validated against a set of strict rules to ensure it does not contain malicious characters or patterns.\\n\\n✅ Use Hardcoded Arguments\\n\\nWhen invoking OS commands, use a hardcoded set of arguments to ensure that user input cannot alter the command's behavior.\\n\\n✅ Utilize Temporary Files Securely\\n\\nWhen dealing with files, create temporary files in a restricted directory, avoiding the use of user-supplied filenames.\\n\\n✅ Employ Native Libraries\\n\\nWhere possible, use native libraries or features of the programming language instead of invoking shell commands, which can be safer and more efficient.\\n\\n\`\`\`go\\nimport (\\n \\"io/ioutil\\"\\n \\"os/exec\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n userData := []byte(\\"user data\\")\\n\\n // Create a temporary file in a secure, application-specific directory\\n f, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Write user data to the temporary file\\n if _, err := f.Write(userData); err != nil {\\n f.Close()\\n log.Fatal(err)\\n }\\n\\n // Close the file handle\\n if err := f.Close(); err != nil {\\n log.Fatal(err)\\n }\\n\\n // Execute a command using the temporary file, avoiding direct user input for filenames\\n out, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\n if err != nil {\\n log.Fatal(err)\\n }\\n // Output can be used for further processing\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", + "description": "## Description\\n\\nOS command injection is a perilous vulnerability that has the potential to lead to full system compromise. Adversaries may exploit this flaw by feeding arbitrary commands or arguments intended for execution. This opens the door for unchecked operations, which could wreak havoc on the system or reveal sensitive information.\\n\\n## Remediations\\n\\n✅ Avoid User Input in OS Commands\\n\\nAlways steer clear of incorporating user input when formulating commands or their arguments, especially for functions responsible for OS command execution. This includes, but is not limited to, filenames provided during user uploads/downloads.\\n\\n✅ Hardcoded Argument Set\\n\\nEnsure your application exclusively uses a hardcoded set of arguments for OS command executions. If filenames are being passed to such functions, consider adopting a hash of the filename or another distinctive identifier.\\n\\n✅ Opt for Native Libraries\\n\\nDue to the inherent risks associated with third-party commands and the possibility of undisclosed attack vectors, prefer using native libraries that offer the same capabilities as opposed to resorting to OS system commands.\\n\\n✅ Specify Full Path in Windows\\n\\nIf the environment is Windows-based, always provide the complete path information when denoting the OS command. This circumvents potential vulnerabilities stemming from untrusted search paths (CWE-426).\\n\\n\`\`\`go\\nuserData := []byte(\\"user data\\")\\n// create a temporary file in the application-specific directory\\nf, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\nif err != nil {\\n log.Fatal(err)\\n}\\n\\nif _, err := f.Write(userData); err != nil {\\n log.Fatal(err)\\n}\\n\\nif err := f.Close(); err != nil {\\n log.Fatal(err)\\n}\\n\\n// use the absolute path to the binary and the name of the temporary file\\n// steering clear of any user-provided filenames\\nout, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\nif err != nil {\\n log.Fatal(err)\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_injection_subproc_injection", "line_number": 23, "full_filename": "/tmp/bearer-scan/main.go", @@ -43,7 +43,7 @@ exports[`go_gosec_injection_subproc_injection test 1`] = ` ], "id": "go_gosec_injection_subproc_injection", "title": "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "description": "## Description\\n\\nOS command injection is a severe security vulnerability that occurs when an application incorrectly processes user input. This flaw can allow attackers to execute arbitrary commands on the host operating system, potentially leading to a full system compromise.\\n\\n## Remediations\\n\\nPrevent OS command injection by adhering to the following practices:\\n\\n❌ Avoid Direct User Input\\n\\nDo not use user-supplied information for constructing OS commands or command-line arguments, as this can lead to command injection vulnerabilities.\\n\\n✅ Implement Input Validation\\n\\nEnsure that any user input is validated against a set of strict rules to ensure it does not contain malicious characters or patterns.\\n\\n✅ Use Hardcoded Arguments\\n\\nWhen invoking OS commands, use a hardcoded set of arguments to ensure that user input cannot alter the command's behavior.\\n\\n✅ Utilize Temporary Files Securely\\n\\nWhen dealing with files, create temporary files in a restricted directory, avoiding the use of user-supplied filenames.\\n\\n✅ Employ Native Libraries\\n\\nWhere possible, use native libraries or features of the programming language instead of invoking shell commands, which can be safer and more efficient.\\n\\n\`\`\`go\\nimport (\\n \\"io/ioutil\\"\\n \\"os/exec\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n userData := []byte(\\"user data\\")\\n\\n // Create a temporary file in a secure, application-specific directory\\n f, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Write user data to the temporary file\\n if _, err := f.Write(userData); err != nil {\\n f.Close()\\n log.Fatal(err)\\n }\\n\\n // Close the file handle\\n if err := f.Close(); err != nil {\\n log.Fatal(err)\\n }\\n\\n // Execute a command using the temporary file, avoiding direct user input for filenames\\n out, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\n if err != nil {\\n log.Fatal(err)\\n }\\n // Output can be used for further processing\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", + "description": "## Description\\n\\nOS command injection is a perilous vulnerability that has the potential to lead to full system compromise. Adversaries may exploit this flaw by feeding arbitrary commands or arguments intended for execution. This opens the door for unchecked operations, which could wreak havoc on the system or reveal sensitive information.\\n\\n## Remediations\\n\\n✅ Avoid User Input in OS Commands\\n\\nAlways steer clear of incorporating user input when formulating commands or their arguments, especially for functions responsible for OS command execution. This includes, but is not limited to, filenames provided during user uploads/downloads.\\n\\n✅ Hardcoded Argument Set\\n\\nEnsure your application exclusively uses a hardcoded set of arguments for OS command executions. If filenames are being passed to such functions, consider adopting a hash of the filename or another distinctive identifier.\\n\\n✅ Opt for Native Libraries\\n\\nDue to the inherent risks associated with third-party commands and the possibility of undisclosed attack vectors, prefer using native libraries that offer the same capabilities as opposed to resorting to OS system commands.\\n\\n✅ Specify Full Path in Windows\\n\\nIf the environment is Windows-based, always provide the complete path information when denoting the OS command. This circumvents potential vulnerabilities stemming from untrusted search paths (CWE-426).\\n\\n\`\`\`go\\nuserData := []byte(\\"user data\\")\\n// create a temporary file in the application-specific directory\\nf, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\nif err != nil {\\n log.Fatal(err)\\n}\\n\\nif _, err := f.Write(userData); err != nil {\\n log.Fatal(err)\\n}\\n\\nif err := f.Close(); err != nil {\\n log.Fatal(err)\\n}\\n\\n// use the absolute path to the binary and the name of the temporary file\\n// steering clear of any user-provided filenames\\nout, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\nif err != nil {\\n log.Fatal(err)\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_injection_subproc_injection", "line_number": 33, "full_filename": "/tmp/bearer-scan/main.go", @@ -77,7 +77,7 @@ exports[`go_gosec_injection_subproc_injection test 1`] = ` ], "id": "go_gosec_injection_subproc_injection", "title": "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "description": "## Description\\n\\nOS command injection is a severe security vulnerability that occurs when an application incorrectly processes user input. This flaw can allow attackers to execute arbitrary commands on the host operating system, potentially leading to a full system compromise.\\n\\n## Remediations\\n\\nPrevent OS command injection by adhering to the following practices:\\n\\n❌ Avoid Direct User Input\\n\\nDo not use user-supplied information for constructing OS commands or command-line arguments, as this can lead to command injection vulnerabilities.\\n\\n✅ Implement Input Validation\\n\\nEnsure that any user input is validated against a set of strict rules to ensure it does not contain malicious characters or patterns.\\n\\n✅ Use Hardcoded Arguments\\n\\nWhen invoking OS commands, use a hardcoded set of arguments to ensure that user input cannot alter the command's behavior.\\n\\n✅ Utilize Temporary Files Securely\\n\\nWhen dealing with files, create temporary files in a restricted directory, avoiding the use of user-supplied filenames.\\n\\n✅ Employ Native Libraries\\n\\nWhere possible, use native libraries or features of the programming language instead of invoking shell commands, which can be safer and more efficient.\\n\\n\`\`\`go\\nimport (\\n \\"io/ioutil\\"\\n \\"os/exec\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n userData := []byte(\\"user data\\")\\n\\n // Create a temporary file in a secure, application-specific directory\\n f, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Write user data to the temporary file\\n if _, err := f.Write(userData); err != nil {\\n f.Close()\\n log.Fatal(err)\\n }\\n\\n // Close the file handle\\n if err := f.Close(); err != nil {\\n log.Fatal(err)\\n }\\n\\n // Execute a command using the temporary file, avoiding direct user input for filenames\\n out, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\n if err != nil {\\n log.Fatal(err)\\n }\\n // Output can be used for further processing\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", + "description": "## Description\\n\\nOS command injection is a perilous vulnerability that has the potential to lead to full system compromise. Adversaries may exploit this flaw by feeding arbitrary commands or arguments intended for execution. This opens the door for unchecked operations, which could wreak havoc on the system or reveal sensitive information.\\n\\n## Remediations\\n\\n✅ Avoid User Input in OS Commands\\n\\nAlways steer clear of incorporating user input when formulating commands or their arguments, especially for functions responsible for OS command execution. This includes, but is not limited to, filenames provided during user uploads/downloads.\\n\\n✅ Hardcoded Argument Set\\n\\nEnsure your application exclusively uses a hardcoded set of arguments for OS command executions. If filenames are being passed to such functions, consider adopting a hash of the filename or another distinctive identifier.\\n\\n✅ Opt for Native Libraries\\n\\nDue to the inherent risks associated with third-party commands and the possibility of undisclosed attack vectors, prefer using native libraries that offer the same capabilities as opposed to resorting to OS system commands.\\n\\n✅ Specify Full Path in Windows\\n\\nIf the environment is Windows-based, always provide the complete path information when denoting the OS command. This circumvents potential vulnerabilities stemming from untrusted search paths (CWE-426).\\n\\n\`\`\`go\\nuserData := []byte(\\"user data\\")\\n// create a temporary file in the application-specific directory\\nf, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\nif err != nil {\\n log.Fatal(err)\\n}\\n\\nif _, err := f.Write(userData); err != nil {\\n log.Fatal(err)\\n}\\n\\nif err := f.Close(); err != nil {\\n log.Fatal(err)\\n}\\n\\n// use the absolute path to the binary and the name of the temporary file\\n// steering clear of any user-provided filenames\\nout, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\nif err != nil {\\n log.Fatal(err)\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_injection_subproc_injection", "line_number": 45, "full_filename": "/tmp/bearer-scan/main.go", @@ -111,7 +111,7 @@ exports[`go_gosec_injection_subproc_injection test 1`] = ` ], "id": "go_gosec_injection_subproc_injection", "title": "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "description": "## Description\\n\\nOS command injection is a severe security vulnerability that occurs when an application incorrectly processes user input. This flaw can allow attackers to execute arbitrary commands on the host operating system, potentially leading to a full system compromise.\\n\\n## Remediations\\n\\nPrevent OS command injection by adhering to the following practices:\\n\\n❌ Avoid Direct User Input\\n\\nDo not use user-supplied information for constructing OS commands or command-line arguments, as this can lead to command injection vulnerabilities.\\n\\n✅ Implement Input Validation\\n\\nEnsure that any user input is validated against a set of strict rules to ensure it does not contain malicious characters or patterns.\\n\\n✅ Use Hardcoded Arguments\\n\\nWhen invoking OS commands, use a hardcoded set of arguments to ensure that user input cannot alter the command's behavior.\\n\\n✅ Utilize Temporary Files Securely\\n\\nWhen dealing with files, create temporary files in a restricted directory, avoiding the use of user-supplied filenames.\\n\\n✅ Employ Native Libraries\\n\\nWhere possible, use native libraries or features of the programming language instead of invoking shell commands, which can be safer and more efficient.\\n\\n\`\`\`go\\nimport (\\n \\"io/ioutil\\"\\n \\"os/exec\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n userData := []byte(\\"user data\\")\\n\\n // Create a temporary file in a secure, application-specific directory\\n f, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Write user data to the temporary file\\n if _, err := f.Write(userData); err != nil {\\n f.Close()\\n log.Fatal(err)\\n }\\n\\n // Close the file handle\\n if err := f.Close(); err != nil {\\n log.Fatal(err)\\n }\\n\\n // Execute a command using the temporary file, avoiding direct user input for filenames\\n out, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\n if err != nil {\\n log.Fatal(err)\\n }\\n // Output can be used for further processing\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", + "description": "## Description\\n\\nOS command injection is a perilous vulnerability that has the potential to lead to full system compromise. Adversaries may exploit this flaw by feeding arbitrary commands or arguments intended for execution. This opens the door for unchecked operations, which could wreak havoc on the system or reveal sensitive information.\\n\\n## Remediations\\n\\n✅ Avoid User Input in OS Commands\\n\\nAlways steer clear of incorporating user input when formulating commands or their arguments, especially for functions responsible for OS command execution. This includes, but is not limited to, filenames provided during user uploads/downloads.\\n\\n✅ Hardcoded Argument Set\\n\\nEnsure your application exclusively uses a hardcoded set of arguments for OS command executions. If filenames are being passed to such functions, consider adopting a hash of the filename or another distinctive identifier.\\n\\n✅ Opt for Native Libraries\\n\\nDue to the inherent risks associated with third-party commands and the possibility of undisclosed attack vectors, prefer using native libraries that offer the same capabilities as opposed to resorting to OS system commands.\\n\\n✅ Specify Full Path in Windows\\n\\nIf the environment is Windows-based, always provide the complete path information when denoting the OS command. This circumvents potential vulnerabilities stemming from untrusted search paths (CWE-426).\\n\\n\`\`\`go\\nuserData := []byte(\\"user data\\")\\n// create a temporary file in the application-specific directory\\nf, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\nif err != nil {\\n log.Fatal(err)\\n}\\n\\nif _, err := f.Write(userData); err != nil {\\n log.Fatal(err)\\n}\\n\\nif err := f.Close(); err != nil {\\n log.Fatal(err)\\n}\\n\\n// use the absolute path to the binary and the name of the temporary file\\n// steering clear of any user-provided filenames\\nout, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\nif err != nil {\\n log.Fatal(err)\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_injection_subproc_injection", "line_number": 60, "full_filename": "/tmp/bearer-scan/main.go", @@ -145,7 +145,7 @@ exports[`go_gosec_injection_subproc_injection test 1`] = ` ], "id": "go_gosec_injection_subproc_injection", "title": "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "description": "## Description\\n\\nOS command injection is a severe security vulnerability that occurs when an application incorrectly processes user input. This flaw can allow attackers to execute arbitrary commands on the host operating system, potentially leading to a full system compromise.\\n\\n## Remediations\\n\\nPrevent OS command injection by adhering to the following practices:\\n\\n❌ Avoid Direct User Input\\n\\nDo not use user-supplied information for constructing OS commands or command-line arguments, as this can lead to command injection vulnerabilities.\\n\\n✅ Implement Input Validation\\n\\nEnsure that any user input is validated against a set of strict rules to ensure it does not contain malicious characters or patterns.\\n\\n✅ Use Hardcoded Arguments\\n\\nWhen invoking OS commands, use a hardcoded set of arguments to ensure that user input cannot alter the command's behavior.\\n\\n✅ Utilize Temporary Files Securely\\n\\nWhen dealing with files, create temporary files in a restricted directory, avoiding the use of user-supplied filenames.\\n\\n✅ Employ Native Libraries\\n\\nWhere possible, use native libraries or features of the programming language instead of invoking shell commands, which can be safer and more efficient.\\n\\n\`\`\`go\\nimport (\\n \\"io/ioutil\\"\\n \\"os/exec\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n userData := []byte(\\"user data\\")\\n\\n // Create a temporary file in a secure, application-specific directory\\n f, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Write user data to the temporary file\\n if _, err := f.Write(userData); err != nil {\\n f.Close()\\n log.Fatal(err)\\n }\\n\\n // Close the file handle\\n if err := f.Close(); err != nil {\\n log.Fatal(err)\\n }\\n\\n // Execute a command using the temporary file, avoiding direct user input for filenames\\n out, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\n if err != nil {\\n log.Fatal(err)\\n }\\n // Output can be used for further processing\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", + "description": "## Description\\n\\nOS command injection is a perilous vulnerability that has the potential to lead to full system compromise. Adversaries may exploit this flaw by feeding arbitrary commands or arguments intended for execution. This opens the door for unchecked operations, which could wreak havoc on the system or reveal sensitive information.\\n\\n## Remediations\\n\\n✅ Avoid User Input in OS Commands\\n\\nAlways steer clear of incorporating user input when formulating commands or their arguments, especially for functions responsible for OS command execution. This includes, but is not limited to, filenames provided during user uploads/downloads.\\n\\n✅ Hardcoded Argument Set\\n\\nEnsure your application exclusively uses a hardcoded set of arguments for OS command executions. If filenames are being passed to such functions, consider adopting a hash of the filename or another distinctive identifier.\\n\\n✅ Opt for Native Libraries\\n\\nDue to the inherent risks associated with third-party commands and the possibility of undisclosed attack vectors, prefer using native libraries that offer the same capabilities as opposed to resorting to OS system commands.\\n\\n✅ Specify Full Path in Windows\\n\\nIf the environment is Windows-based, always provide the complete path information when denoting the OS command. This circumvents potential vulnerabilities stemming from untrusted search paths (CWE-426).\\n\\n\`\`\`go\\nuserData := []byte(\\"user data\\")\\n// create a temporary file in the application-specific directory\\nf, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\nif err != nil {\\n log.Fatal(err)\\n}\\n\\nif _, err := f.Write(userData); err != nil {\\n log.Fatal(err)\\n}\\n\\nif err := f.Close(); err != nil {\\n log.Fatal(err)\\n}\\n\\n// use the absolute path to the binary and the name of the temporary file\\n// steering clear of any user-provided filenames\\nout, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\nif err != nil {\\n log.Fatal(err)\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_injection_subproc_injection", "line_number": 68, "full_filename": "/tmp/bearer-scan/main.go", @@ -179,7 +179,7 @@ exports[`go_gosec_injection_subproc_injection test 1`] = ` ], "id": "go_gosec_injection_subproc_injection", "title": "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "description": "## Description\\n\\nOS command injection is a severe security vulnerability that occurs when an application incorrectly processes user input. This flaw can allow attackers to execute arbitrary commands on the host operating system, potentially leading to a full system compromise.\\n\\n## Remediations\\n\\nPrevent OS command injection by adhering to the following practices:\\n\\n❌ Avoid Direct User Input\\n\\nDo not use user-supplied information for constructing OS commands or command-line arguments, as this can lead to command injection vulnerabilities.\\n\\n✅ Implement Input Validation\\n\\nEnsure that any user input is validated against a set of strict rules to ensure it does not contain malicious characters or patterns.\\n\\n✅ Use Hardcoded Arguments\\n\\nWhen invoking OS commands, use a hardcoded set of arguments to ensure that user input cannot alter the command's behavior.\\n\\n✅ Utilize Temporary Files Securely\\n\\nWhen dealing with files, create temporary files in a restricted directory, avoiding the use of user-supplied filenames.\\n\\n✅ Employ Native Libraries\\n\\nWhere possible, use native libraries or features of the programming language instead of invoking shell commands, which can be safer and more efficient.\\n\\n\`\`\`go\\nimport (\\n \\"io/ioutil\\"\\n \\"os/exec\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n userData := []byte(\\"user data\\")\\n\\n // Create a temporary file in a secure, application-specific directory\\n f, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Write user data to the temporary file\\n if _, err := f.Write(userData); err != nil {\\n f.Close()\\n log.Fatal(err)\\n }\\n\\n // Close the file handle\\n if err := f.Close(); err != nil {\\n log.Fatal(err)\\n }\\n\\n // Execute a command using the temporary file, avoiding direct user input for filenames\\n out, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\n if err != nil {\\n log.Fatal(err)\\n }\\n // Output can be used for further processing\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", + "description": "## Description\\n\\nOS command injection is a perilous vulnerability that has the potential to lead to full system compromise. Adversaries may exploit this flaw by feeding arbitrary commands or arguments intended for execution. This opens the door for unchecked operations, which could wreak havoc on the system or reveal sensitive information.\\n\\n## Remediations\\n\\n✅ Avoid User Input in OS Commands\\n\\nAlways steer clear of incorporating user input when formulating commands or their arguments, especially for functions responsible for OS command execution. This includes, but is not limited to, filenames provided during user uploads/downloads.\\n\\n✅ Hardcoded Argument Set\\n\\nEnsure your application exclusively uses a hardcoded set of arguments for OS command executions. If filenames are being passed to such functions, consider adopting a hash of the filename or another distinctive identifier.\\n\\n✅ Opt for Native Libraries\\n\\nDue to the inherent risks associated with third-party commands and the possibility of undisclosed attack vectors, prefer using native libraries that offer the same capabilities as opposed to resorting to OS system commands.\\n\\n✅ Specify Full Path in Windows\\n\\nIf the environment is Windows-based, always provide the complete path information when denoting the OS command. This circumvents potential vulnerabilities stemming from untrusted search paths (CWE-426).\\n\\n\`\`\`go\\nuserData := []byte(\\"user data\\")\\n// create a temporary file in the application-specific directory\\nf, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\nif err != nil {\\n log.Fatal(err)\\n}\\n\\nif _, err := f.Write(userData); err != nil {\\n log.Fatal(err)\\n}\\n\\nif err := f.Close(); err != nil {\\n log.Fatal(err)\\n}\\n\\n// use the absolute path to the binary and the name of the temporary file\\n// steering clear of any user-provided filenames\\nout, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\nif err != nil {\\n log.Fatal(err)\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_injection_subproc_injection", "line_number": 90, "full_filename": "/tmp/bearer-scan/main.go", @@ -213,7 +213,7 @@ exports[`go_gosec_injection_subproc_injection test 1`] = ` ], "id": "go_gosec_injection_subproc_injection", "title": "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "description": "## Description\\n\\nOS command injection is a severe security vulnerability that occurs when an application incorrectly processes user input. This flaw can allow attackers to execute arbitrary commands on the host operating system, potentially leading to a full system compromise.\\n\\n## Remediations\\n\\nPrevent OS command injection by adhering to the following practices:\\n\\n❌ Avoid Direct User Input\\n\\nDo not use user-supplied information for constructing OS commands or command-line arguments, as this can lead to command injection vulnerabilities.\\n\\n✅ Implement Input Validation\\n\\nEnsure that any user input is validated against a set of strict rules to ensure it does not contain malicious characters or patterns.\\n\\n✅ Use Hardcoded Arguments\\n\\nWhen invoking OS commands, use a hardcoded set of arguments to ensure that user input cannot alter the command's behavior.\\n\\n✅ Utilize Temporary Files Securely\\n\\nWhen dealing with files, create temporary files in a restricted directory, avoiding the use of user-supplied filenames.\\n\\n✅ Employ Native Libraries\\n\\nWhere possible, use native libraries or features of the programming language instead of invoking shell commands, which can be safer and more efficient.\\n\\n\`\`\`go\\nimport (\\n \\"io/ioutil\\"\\n \\"os/exec\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n userData := []byte(\\"user data\\")\\n\\n // Create a temporary file in a secure, application-specific directory\\n f, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Write user data to the temporary file\\n if _, err := f.Write(userData); err != nil {\\n f.Close()\\n log.Fatal(err)\\n }\\n\\n // Close the file handle\\n if err := f.Close(); err != nil {\\n log.Fatal(err)\\n }\\n\\n // Execute a command using the temporary file, avoiding direct user input for filenames\\n out, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\n if err != nil {\\n log.Fatal(err)\\n }\\n // Output can be used for further processing\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", + "description": "## Description\\n\\nOS command injection is a perilous vulnerability that has the potential to lead to full system compromise. Adversaries may exploit this flaw by feeding arbitrary commands or arguments intended for execution. This opens the door for unchecked operations, which could wreak havoc on the system or reveal sensitive information.\\n\\n## Remediations\\n\\n✅ Avoid User Input in OS Commands\\n\\nAlways steer clear of incorporating user input when formulating commands or their arguments, especially for functions responsible for OS command execution. This includes, but is not limited to, filenames provided during user uploads/downloads.\\n\\n✅ Hardcoded Argument Set\\n\\nEnsure your application exclusively uses a hardcoded set of arguments for OS command executions. If filenames are being passed to such functions, consider adopting a hash of the filename or another distinctive identifier.\\n\\n✅ Opt for Native Libraries\\n\\nDue to the inherent risks associated with third-party commands and the possibility of undisclosed attack vectors, prefer using native libraries that offer the same capabilities as opposed to resorting to OS system commands.\\n\\n✅ Specify Full Path in Windows\\n\\nIf the environment is Windows-based, always provide the complete path information when denoting the OS command. This circumvents potential vulnerabilities stemming from untrusted search paths (CWE-426).\\n\\n\`\`\`go\\nuserData := []byte(\\"user data\\")\\n// create a temporary file in the application-specific directory\\nf, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\nif err != nil {\\n log.Fatal(err)\\n}\\n\\nif _, err := f.Write(userData); err != nil {\\n log.Fatal(err)\\n}\\n\\nif err := f.Close(); err != nil {\\n log.Fatal(err)\\n}\\n\\n// use the absolute path to the binary and the name of the temporary file\\n// steering clear of any user-provided filenames\\nout, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\nif err != nil {\\n log.Fatal(err)\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_injection_subproc_injection", "line_number": 102, "full_filename": "/tmp/bearer-scan/main.go", @@ -247,7 +247,7 @@ exports[`go_gosec_injection_subproc_injection test 1`] = ` ], "id": "go_gosec_injection_subproc_injection", "title": "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "description": "## Description\\n\\nOS command injection is a severe security vulnerability that occurs when an application incorrectly processes user input. This flaw can allow attackers to execute arbitrary commands on the host operating system, potentially leading to a full system compromise.\\n\\n## Remediations\\n\\nPrevent OS command injection by adhering to the following practices:\\n\\n❌ Avoid Direct User Input\\n\\nDo not use user-supplied information for constructing OS commands or command-line arguments, as this can lead to command injection vulnerabilities.\\n\\n✅ Implement Input Validation\\n\\nEnsure that any user input is validated against a set of strict rules to ensure it does not contain malicious characters or patterns.\\n\\n✅ Use Hardcoded Arguments\\n\\nWhen invoking OS commands, use a hardcoded set of arguments to ensure that user input cannot alter the command's behavior.\\n\\n✅ Utilize Temporary Files Securely\\n\\nWhen dealing with files, create temporary files in a restricted directory, avoiding the use of user-supplied filenames.\\n\\n✅ Employ Native Libraries\\n\\nWhere possible, use native libraries or features of the programming language instead of invoking shell commands, which can be safer and more efficient.\\n\\n\`\`\`go\\nimport (\\n \\"io/ioutil\\"\\n \\"os/exec\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n userData := []byte(\\"user data\\")\\n\\n // Create a temporary file in a secure, application-specific directory\\n f, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Write user data to the temporary file\\n if _, err := f.Write(userData); err != nil {\\n f.Close()\\n log.Fatal(err)\\n }\\n\\n // Close the file handle\\n if err := f.Close(); err != nil {\\n log.Fatal(err)\\n }\\n\\n // Execute a command using the temporary file, avoiding direct user input for filenames\\n out, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\n if err != nil {\\n log.Fatal(err)\\n }\\n // Output can be used for further processing\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", + "description": "## Description\\n\\nOS command injection is a perilous vulnerability that has the potential to lead to full system compromise. Adversaries may exploit this flaw by feeding arbitrary commands or arguments intended for execution. This opens the door for unchecked operations, which could wreak havoc on the system or reveal sensitive information.\\n\\n## Remediations\\n\\n✅ Avoid User Input in OS Commands\\n\\nAlways steer clear of incorporating user input when formulating commands or their arguments, especially for functions responsible for OS command execution. This includes, but is not limited to, filenames provided during user uploads/downloads.\\n\\n✅ Hardcoded Argument Set\\n\\nEnsure your application exclusively uses a hardcoded set of arguments for OS command executions. If filenames are being passed to such functions, consider adopting a hash of the filename or another distinctive identifier.\\n\\n✅ Opt for Native Libraries\\n\\nDue to the inherent risks associated with third-party commands and the possibility of undisclosed attack vectors, prefer using native libraries that offer the same capabilities as opposed to resorting to OS system commands.\\n\\n✅ Specify Full Path in Windows\\n\\nIf the environment is Windows-based, always provide the complete path information when denoting the OS command. This circumvents potential vulnerabilities stemming from untrusted search paths (CWE-426).\\n\\n\`\`\`go\\nuserData := []byte(\\"user data\\")\\n// create a temporary file in the application-specific directory\\nf, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\nif err != nil {\\n log.Fatal(err)\\n}\\n\\nif _, err := f.Write(userData); err != nil {\\n log.Fatal(err)\\n}\\n\\nif err := f.Close(); err != nil {\\n log.Fatal(err)\\n}\\n\\n// use the absolute path to the binary and the name of the temporary file\\n// steering clear of any user-provided filenames\\nout, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\nif err != nil {\\n log.Fatal(err)\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_injection_subproc_injection", "line_number": 126, "full_filename": "/tmp/bearer-scan/main.go", diff --git a/tests/go/gosec/subproc/subproc/__snapshots__/test.js.snap b/tests/go/gosec/subproc/subproc/__snapshots__/test.js.snap index 05611c09d..fa12fbd41 100644 --- a/tests/go/gosec/subproc/subproc/__snapshots__/test.js.snap +++ b/tests/go/gosec/subproc/subproc/__snapshots__/test.js.snap @@ -9,7 +9,7 @@ exports[`go_gosec_subproc_subproc test 1`] = ` ], "id": "go_gosec_subproc_subproc", "title": "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "description": "## Description\\n\\nOS command injection is a perilous vulnerability that has the potential to lead to full system compromise. Adversaries may exploit this flaw by feeding arbitrary commands or arguments intended for execution. This opens the door for unchecked operations, which could wreak havoc on the system or reveal sensitive information.\\n\\n## Remediations\\n\\n✅ Avoid User Input in OS Commands\\n\\nAlways steer clear of incorporating user input when formulating commands or their arguments, especially for functions responsible for OS command execution. This includes, but is not limited to, filenames provided during user uploads/downloads.\\n\\n✅ Hardcoded Argument Set\\n\\nEnsure your application exclusively uses a hardcoded set of arguments for OS command executions. If filenames are being passed to such functions, consider adopting a hash of the filename or another distinctive identifier.\\n\\n✅ Opt for Native Libraries\\n\\nDue to the inherent risks associated with third-party commands and the possibility of undisclosed attack vectors, prefer using native libraries that offer the same capabilities as opposed to resorting to OS system commands.\\n\\n✅ Specify Full Path in Windows\\n\\nIf the environment is Windows-based, always provide the complete path information when denoting the OS command. This circumvents potential vulnerabilities stemming from untrusted search paths (CWE-426).\\n\\n\`\`\`go\\nuserData := []byte(\\"user data\\")\\n// create a temporary file in the application-specific directory\\nf, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\nif err != nil {\\n log.Fatal(err)\\n}\\n\\nif _, err := f.Write(userData); err != nil {\\n log.Fatal(err)\\n}\\n\\nif err := f.Close(); err != nil {\\n log.Fatal(err)\\n}\\n\\n// use the absolute path to the binary and the name of the temporary file\\n// steering clear of any user-provided filenames\\nout, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\nif err != nil {\\n log.Fatal(err)\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", + "description": "## Description\\n\\nOS command injection is a severe security vulnerability that occurs when an application incorrectly processes user input. This flaw can allow attackers to execute arbitrary commands on the host operating system, potentially leading to a full system compromise.\\n\\n## Remediations\\n\\nPrevent OS command injection by adhering to the following practices:\\n\\n❌ Avoid Direct User Input\\n\\nDo not use user-supplied information for constructing OS commands or command-line arguments, as this can lead to command injection vulnerabilities.\\n\\n✅ Implement Input Validation\\n\\nEnsure that any user input is validated against a set of strict rules to ensure it does not contain malicious characters or patterns.\\n\\n✅ Use Hardcoded Arguments\\n\\nWhen invoking OS commands, use a hardcoded set of arguments to ensure that user input cannot alter the command's behavior.\\n\\n✅ Utilize Temporary Files Securely\\n\\nWhen dealing with files, create temporary files in a restricted directory, avoiding the use of user-supplied filenames.\\n\\n✅ Employ Native Libraries\\n\\nWhere possible, use native libraries or features of the programming language instead of invoking shell commands, which can be safer and more efficient.\\n\\n\`\`\`go\\nimport (\\n \\"io/ioutil\\"\\n \\"os/exec\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n userData := []byte(\\"user data\\")\\n\\n // Create a temporary file in a secure, application-specific directory\\n f, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Write user data to the temporary file\\n if _, err := f.Write(userData); err != nil {\\n f.Close()\\n log.Fatal(err)\\n }\\n\\n // Close the file handle\\n if err := f.Close(); err != nil {\\n log.Fatal(err)\\n }\\n\\n // Execute a command using the temporary file, avoiding direct user input for filenames\\n out, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\n if err != nil {\\n log.Fatal(err)\\n }\\n // Output can be used for further processing\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_subproc_subproc", "line_number": 21, "full_filename": "/tmp/bearer-scan/main.go", @@ -43,7 +43,7 @@ exports[`go_gosec_subproc_subproc test 1`] = ` ], "id": "go_gosec_subproc_subproc", "title": "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "description": "## Description\\n\\nOS command injection is a perilous vulnerability that has the potential to lead to full system compromise. Adversaries may exploit this flaw by feeding arbitrary commands or arguments intended for execution. This opens the door for unchecked operations, which could wreak havoc on the system or reveal sensitive information.\\n\\n## Remediations\\n\\n✅ Avoid User Input in OS Commands\\n\\nAlways steer clear of incorporating user input when formulating commands or their arguments, especially for functions responsible for OS command execution. This includes, but is not limited to, filenames provided during user uploads/downloads.\\n\\n✅ Hardcoded Argument Set\\n\\nEnsure your application exclusively uses a hardcoded set of arguments for OS command executions. If filenames are being passed to such functions, consider adopting a hash of the filename or another distinctive identifier.\\n\\n✅ Opt for Native Libraries\\n\\nDue to the inherent risks associated with third-party commands and the possibility of undisclosed attack vectors, prefer using native libraries that offer the same capabilities as opposed to resorting to OS system commands.\\n\\n✅ Specify Full Path in Windows\\n\\nIf the environment is Windows-based, always provide the complete path information when denoting the OS command. This circumvents potential vulnerabilities stemming from untrusted search paths (CWE-426).\\n\\n\`\`\`go\\nuserData := []byte(\\"user data\\")\\n// create a temporary file in the application-specific directory\\nf, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\nif err != nil {\\n log.Fatal(err)\\n}\\n\\nif _, err := f.Write(userData); err != nil {\\n log.Fatal(err)\\n}\\n\\nif err := f.Close(); err != nil {\\n log.Fatal(err)\\n}\\n\\n// use the absolute path to the binary and the name of the temporary file\\n// steering clear of any user-provided filenames\\nout, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\nif err != nil {\\n log.Fatal(err)\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", + "description": "## Description\\n\\nOS command injection is a severe security vulnerability that occurs when an application incorrectly processes user input. This flaw can allow attackers to execute arbitrary commands on the host operating system, potentially leading to a full system compromise.\\n\\n## Remediations\\n\\nPrevent OS command injection by adhering to the following practices:\\n\\n❌ Avoid Direct User Input\\n\\nDo not use user-supplied information for constructing OS commands or command-line arguments, as this can lead to command injection vulnerabilities.\\n\\n✅ Implement Input Validation\\n\\nEnsure that any user input is validated against a set of strict rules to ensure it does not contain malicious characters or patterns.\\n\\n✅ Use Hardcoded Arguments\\n\\nWhen invoking OS commands, use a hardcoded set of arguments to ensure that user input cannot alter the command's behavior.\\n\\n✅ Utilize Temporary Files Securely\\n\\nWhen dealing with files, create temporary files in a restricted directory, avoiding the use of user-supplied filenames.\\n\\n✅ Employ Native Libraries\\n\\nWhere possible, use native libraries or features of the programming language instead of invoking shell commands, which can be safer and more efficient.\\n\\n\`\`\`go\\nimport (\\n \\"io/ioutil\\"\\n \\"os/exec\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n userData := []byte(\\"user data\\")\\n\\n // Create a temporary file in a secure, application-specific directory\\n f, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Write user data to the temporary file\\n if _, err := f.Write(userData); err != nil {\\n f.Close()\\n log.Fatal(err)\\n }\\n\\n // Close the file handle\\n if err := f.Close(); err != nil {\\n log.Fatal(err)\\n }\\n\\n // Execute a command using the temporary file, avoiding direct user input for filenames\\n out, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\n if err != nil {\\n log.Fatal(err)\\n }\\n // Output can be used for further processing\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_subproc_subproc", "line_number": 30, "full_filename": "/tmp/bearer-scan/main.go", @@ -77,7 +77,7 @@ exports[`go_gosec_subproc_subproc test 1`] = ` ], "id": "go_gosec_subproc_subproc", "title": "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "description": "## Description\\n\\nOS command injection is a perilous vulnerability that has the potential to lead to full system compromise. Adversaries may exploit this flaw by feeding arbitrary commands or arguments intended for execution. This opens the door for unchecked operations, which could wreak havoc on the system or reveal sensitive information.\\n\\n## Remediations\\n\\n✅ Avoid User Input in OS Commands\\n\\nAlways steer clear of incorporating user input when formulating commands or their arguments, especially for functions responsible for OS command execution. This includes, but is not limited to, filenames provided during user uploads/downloads.\\n\\n✅ Hardcoded Argument Set\\n\\nEnsure your application exclusively uses a hardcoded set of arguments for OS command executions. If filenames are being passed to such functions, consider adopting a hash of the filename or another distinctive identifier.\\n\\n✅ Opt for Native Libraries\\n\\nDue to the inherent risks associated with third-party commands and the possibility of undisclosed attack vectors, prefer using native libraries that offer the same capabilities as opposed to resorting to OS system commands.\\n\\n✅ Specify Full Path in Windows\\n\\nIf the environment is Windows-based, always provide the complete path information when denoting the OS command. This circumvents potential vulnerabilities stemming from untrusted search paths (CWE-426).\\n\\n\`\`\`go\\nuserData := []byte(\\"user data\\")\\n// create a temporary file in the application-specific directory\\nf, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\nif err != nil {\\n log.Fatal(err)\\n}\\n\\nif _, err := f.Write(userData); err != nil {\\n log.Fatal(err)\\n}\\n\\nif err := f.Close(); err != nil {\\n log.Fatal(err)\\n}\\n\\n// use the absolute path to the binary and the name of the temporary file\\n// steering clear of any user-provided filenames\\nout, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\nif err != nil {\\n log.Fatal(err)\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", + "description": "## Description\\n\\nOS command injection is a severe security vulnerability that occurs when an application incorrectly processes user input. This flaw can allow attackers to execute arbitrary commands on the host operating system, potentially leading to a full system compromise.\\n\\n## Remediations\\n\\nPrevent OS command injection by adhering to the following practices:\\n\\n❌ Avoid Direct User Input\\n\\nDo not use user-supplied information for constructing OS commands or command-line arguments, as this can lead to command injection vulnerabilities.\\n\\n✅ Implement Input Validation\\n\\nEnsure that any user input is validated against a set of strict rules to ensure it does not contain malicious characters or patterns.\\n\\n✅ Use Hardcoded Arguments\\n\\nWhen invoking OS commands, use a hardcoded set of arguments to ensure that user input cannot alter the command's behavior.\\n\\n✅ Utilize Temporary Files Securely\\n\\nWhen dealing with files, create temporary files in a restricted directory, avoiding the use of user-supplied filenames.\\n\\n✅ Employ Native Libraries\\n\\nWhere possible, use native libraries or features of the programming language instead of invoking shell commands, which can be safer and more efficient.\\n\\n\`\`\`go\\nimport (\\n \\"io/ioutil\\"\\n \\"os/exec\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n userData := []byte(\\"user data\\")\\n\\n // Create a temporary file in a secure, application-specific directory\\n f, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Write user data to the temporary file\\n if _, err := f.Write(userData); err != nil {\\n f.Close()\\n log.Fatal(err)\\n }\\n\\n // Close the file handle\\n if err := f.Close(); err != nil {\\n log.Fatal(err)\\n }\\n\\n // Execute a command using the temporary file, avoiding direct user input for filenames\\n out, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\n if err != nil {\\n log.Fatal(err)\\n }\\n // Output can be used for further processing\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_subproc_subproc", "line_number": 41, "full_filename": "/tmp/bearer-scan/main.go", @@ -111,7 +111,7 @@ exports[`go_gosec_subproc_subproc test 1`] = ` ], "id": "go_gosec_subproc_subproc", "title": "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "description": "## Description\\n\\nOS command injection is a perilous vulnerability that has the potential to lead to full system compromise. Adversaries may exploit this flaw by feeding arbitrary commands or arguments intended for execution. This opens the door for unchecked operations, which could wreak havoc on the system or reveal sensitive information.\\n\\n## Remediations\\n\\n✅ Avoid User Input in OS Commands\\n\\nAlways steer clear of incorporating user input when formulating commands or their arguments, especially for functions responsible for OS command execution. This includes, but is not limited to, filenames provided during user uploads/downloads.\\n\\n✅ Hardcoded Argument Set\\n\\nEnsure your application exclusively uses a hardcoded set of arguments for OS command executions. If filenames are being passed to such functions, consider adopting a hash of the filename or another distinctive identifier.\\n\\n✅ Opt for Native Libraries\\n\\nDue to the inherent risks associated with third-party commands and the possibility of undisclosed attack vectors, prefer using native libraries that offer the same capabilities as opposed to resorting to OS system commands.\\n\\n✅ Specify Full Path in Windows\\n\\nIf the environment is Windows-based, always provide the complete path information when denoting the OS command. This circumvents potential vulnerabilities stemming from untrusted search paths (CWE-426).\\n\\n\`\`\`go\\nuserData := []byte(\\"user data\\")\\n// create a temporary file in the application-specific directory\\nf, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\nif err != nil {\\n log.Fatal(err)\\n}\\n\\nif _, err := f.Write(userData); err != nil {\\n log.Fatal(err)\\n}\\n\\nif err := f.Close(); err != nil {\\n log.Fatal(err)\\n}\\n\\n// use the absolute path to the binary and the name of the temporary file\\n// steering clear of any user-provided filenames\\nout, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\nif err != nil {\\n log.Fatal(err)\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", + "description": "## Description\\n\\nOS command injection is a severe security vulnerability that occurs when an application incorrectly processes user input. This flaw can allow attackers to execute arbitrary commands on the host operating system, potentially leading to a full system compromise.\\n\\n## Remediations\\n\\nPrevent OS command injection by adhering to the following practices:\\n\\n❌ Avoid Direct User Input\\n\\nDo not use user-supplied information for constructing OS commands or command-line arguments, as this can lead to command injection vulnerabilities.\\n\\n✅ Implement Input Validation\\n\\nEnsure that any user input is validated against a set of strict rules to ensure it does not contain malicious characters or patterns.\\n\\n✅ Use Hardcoded Arguments\\n\\nWhen invoking OS commands, use a hardcoded set of arguments to ensure that user input cannot alter the command's behavior.\\n\\n✅ Utilize Temporary Files Securely\\n\\nWhen dealing with files, create temporary files in a restricted directory, avoiding the use of user-supplied filenames.\\n\\n✅ Employ Native Libraries\\n\\nWhere possible, use native libraries or features of the programming language instead of invoking shell commands, which can be safer and more efficient.\\n\\n\`\`\`go\\nimport (\\n \\"io/ioutil\\"\\n \\"os/exec\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n userData := []byte(\\"user data\\")\\n\\n // Create a temporary file in a secure, application-specific directory\\n f, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Write user data to the temporary file\\n if _, err := f.Write(userData); err != nil {\\n f.Close()\\n log.Fatal(err)\\n }\\n\\n // Close the file handle\\n if err := f.Close(); err != nil {\\n log.Fatal(err)\\n }\\n\\n // Execute a command using the temporary file, avoiding direct user input for filenames\\n out, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\n if err != nil {\\n log.Fatal(err)\\n }\\n // Output can be used for further processing\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_subproc_subproc", "line_number": 55, "full_filename": "/tmp/bearer-scan/main.go", @@ -145,7 +145,7 @@ exports[`go_gosec_subproc_subproc test 1`] = ` ], "id": "go_gosec_subproc_subproc", "title": "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "description": "## Description\\n\\nOS command injection is a perilous vulnerability that has the potential to lead to full system compromise. Adversaries may exploit this flaw by feeding arbitrary commands or arguments intended for execution. This opens the door for unchecked operations, which could wreak havoc on the system or reveal sensitive information.\\n\\n## Remediations\\n\\n✅ Avoid User Input in OS Commands\\n\\nAlways steer clear of incorporating user input when formulating commands or their arguments, especially for functions responsible for OS command execution. This includes, but is not limited to, filenames provided during user uploads/downloads.\\n\\n✅ Hardcoded Argument Set\\n\\nEnsure your application exclusively uses a hardcoded set of arguments for OS command executions. If filenames are being passed to such functions, consider adopting a hash of the filename or another distinctive identifier.\\n\\n✅ Opt for Native Libraries\\n\\nDue to the inherent risks associated with third-party commands and the possibility of undisclosed attack vectors, prefer using native libraries that offer the same capabilities as opposed to resorting to OS system commands.\\n\\n✅ Specify Full Path in Windows\\n\\nIf the environment is Windows-based, always provide the complete path information when denoting the OS command. This circumvents potential vulnerabilities stemming from untrusted search paths (CWE-426).\\n\\n\`\`\`go\\nuserData := []byte(\\"user data\\")\\n// create a temporary file in the application-specific directory\\nf, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\nif err != nil {\\n log.Fatal(err)\\n}\\n\\nif _, err := f.Write(userData); err != nil {\\n log.Fatal(err)\\n}\\n\\nif err := f.Close(); err != nil {\\n log.Fatal(err)\\n}\\n\\n// use the absolute path to the binary and the name of the temporary file\\n// steering clear of any user-provided filenames\\nout, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\nif err != nil {\\n log.Fatal(err)\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", + "description": "## Description\\n\\nOS command injection is a severe security vulnerability that occurs when an application incorrectly processes user input. This flaw can allow attackers to execute arbitrary commands on the host operating system, potentially leading to a full system compromise.\\n\\n## Remediations\\n\\nPrevent OS command injection by adhering to the following practices:\\n\\n❌ Avoid Direct User Input\\n\\nDo not use user-supplied information for constructing OS commands or command-line arguments, as this can lead to command injection vulnerabilities.\\n\\n✅ Implement Input Validation\\n\\nEnsure that any user input is validated against a set of strict rules to ensure it does not contain malicious characters or patterns.\\n\\n✅ Use Hardcoded Arguments\\n\\nWhen invoking OS commands, use a hardcoded set of arguments to ensure that user input cannot alter the command's behavior.\\n\\n✅ Utilize Temporary Files Securely\\n\\nWhen dealing with files, create temporary files in a restricted directory, avoiding the use of user-supplied filenames.\\n\\n✅ Employ Native Libraries\\n\\nWhere possible, use native libraries or features of the programming language instead of invoking shell commands, which can be safer and more efficient.\\n\\n\`\`\`go\\nimport (\\n \\"io/ioutil\\"\\n \\"os/exec\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n userData := []byte(\\"user data\\")\\n\\n // Create a temporary file in a secure, application-specific directory\\n f, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Write user data to the temporary file\\n if _, err := f.Write(userData); err != nil {\\n f.Close()\\n log.Fatal(err)\\n }\\n\\n // Close the file handle\\n if err := f.Close(); err != nil {\\n log.Fatal(err)\\n }\\n\\n // Execute a command using the temporary file, avoiding direct user input for filenames\\n out, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\n if err != nil {\\n log.Fatal(err)\\n }\\n // Output can be used for further processing\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_subproc_subproc", "line_number": 62, "full_filename": "/tmp/bearer-scan/main.go", @@ -179,7 +179,7 @@ exports[`go_gosec_subproc_subproc test 1`] = ` ], "id": "go_gosec_subproc_subproc", "title": "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "description": "## Description\\n\\nOS command injection is a perilous vulnerability that has the potential to lead to full system compromise. Adversaries may exploit this flaw by feeding arbitrary commands or arguments intended for execution. This opens the door for unchecked operations, which could wreak havoc on the system or reveal sensitive information.\\n\\n## Remediations\\n\\n✅ Avoid User Input in OS Commands\\n\\nAlways steer clear of incorporating user input when formulating commands or their arguments, especially for functions responsible for OS command execution. This includes, but is not limited to, filenames provided during user uploads/downloads.\\n\\n✅ Hardcoded Argument Set\\n\\nEnsure your application exclusively uses a hardcoded set of arguments for OS command executions. If filenames are being passed to such functions, consider adopting a hash of the filename or another distinctive identifier.\\n\\n✅ Opt for Native Libraries\\n\\nDue to the inherent risks associated with third-party commands and the possibility of undisclosed attack vectors, prefer using native libraries that offer the same capabilities as opposed to resorting to OS system commands.\\n\\n✅ Specify Full Path in Windows\\n\\nIf the environment is Windows-based, always provide the complete path information when denoting the OS command. This circumvents potential vulnerabilities stemming from untrusted search paths (CWE-426).\\n\\n\`\`\`go\\nuserData := []byte(\\"user data\\")\\n// create a temporary file in the application-specific directory\\nf, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\nif err != nil {\\n log.Fatal(err)\\n}\\n\\nif _, err := f.Write(userData); err != nil {\\n log.Fatal(err)\\n}\\n\\nif err := f.Close(); err != nil {\\n log.Fatal(err)\\n}\\n\\n// use the absolute path to the binary and the name of the temporary file\\n// steering clear of any user-provided filenames\\nout, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\nif err != nil {\\n log.Fatal(err)\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", + "description": "## Description\\n\\nOS command injection is a severe security vulnerability that occurs when an application incorrectly processes user input. This flaw can allow attackers to execute arbitrary commands on the host operating system, potentially leading to a full system compromise.\\n\\n## Remediations\\n\\nPrevent OS command injection by adhering to the following practices:\\n\\n❌ Avoid Direct User Input\\n\\nDo not use user-supplied information for constructing OS commands or command-line arguments, as this can lead to command injection vulnerabilities.\\n\\n✅ Implement Input Validation\\n\\nEnsure that any user input is validated against a set of strict rules to ensure it does not contain malicious characters or patterns.\\n\\n✅ Use Hardcoded Arguments\\n\\nWhen invoking OS commands, use a hardcoded set of arguments to ensure that user input cannot alter the command's behavior.\\n\\n✅ Utilize Temporary Files Securely\\n\\nWhen dealing with files, create temporary files in a restricted directory, avoiding the use of user-supplied filenames.\\n\\n✅ Employ Native Libraries\\n\\nWhere possible, use native libraries or features of the programming language instead of invoking shell commands, which can be safer and more efficient.\\n\\n\`\`\`go\\nimport (\\n \\"io/ioutil\\"\\n \\"os/exec\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n userData := []byte(\\"user data\\")\\n\\n // Create a temporary file in a secure, application-specific directory\\n f, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Write user data to the temporary file\\n if _, err := f.Write(userData); err != nil {\\n f.Close()\\n log.Fatal(err)\\n }\\n\\n // Close the file handle\\n if err := f.Close(); err != nil {\\n log.Fatal(err)\\n }\\n\\n // Execute a command using the temporary file, avoiding direct user input for filenames\\n out, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\n if err != nil {\\n log.Fatal(err)\\n }\\n // Output can be used for further processing\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_subproc_subproc", "line_number": 83, "full_filename": "/tmp/bearer-scan/main.go", @@ -213,7 +213,7 @@ exports[`go_gosec_subproc_subproc test 1`] = ` ], "id": "go_gosec_subproc_subproc", "title": "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "description": "## Description\\n\\nOS command injection is a perilous vulnerability that has the potential to lead to full system compromise. Adversaries may exploit this flaw by feeding arbitrary commands or arguments intended for execution. This opens the door for unchecked operations, which could wreak havoc on the system or reveal sensitive information.\\n\\n## Remediations\\n\\n✅ Avoid User Input in OS Commands\\n\\nAlways steer clear of incorporating user input when formulating commands or their arguments, especially for functions responsible for OS command execution. This includes, but is not limited to, filenames provided during user uploads/downloads.\\n\\n✅ Hardcoded Argument Set\\n\\nEnsure your application exclusively uses a hardcoded set of arguments for OS command executions. If filenames are being passed to such functions, consider adopting a hash of the filename or another distinctive identifier.\\n\\n✅ Opt for Native Libraries\\n\\nDue to the inherent risks associated with third-party commands and the possibility of undisclosed attack vectors, prefer using native libraries that offer the same capabilities as opposed to resorting to OS system commands.\\n\\n✅ Specify Full Path in Windows\\n\\nIf the environment is Windows-based, always provide the complete path information when denoting the OS command. This circumvents potential vulnerabilities stemming from untrusted search paths (CWE-426).\\n\\n\`\`\`go\\nuserData := []byte(\\"user data\\")\\n// create a temporary file in the application-specific directory\\nf, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\nif err != nil {\\n log.Fatal(err)\\n}\\n\\nif _, err := f.Write(userData); err != nil {\\n log.Fatal(err)\\n}\\n\\nif err := f.Close(); err != nil {\\n log.Fatal(err)\\n}\\n\\n// use the absolute path to the binary and the name of the temporary file\\n// steering clear of any user-provided filenames\\nout, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\nif err != nil {\\n log.Fatal(err)\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", + "description": "## Description\\n\\nOS command injection is a severe security vulnerability that occurs when an application incorrectly processes user input. This flaw can allow attackers to execute arbitrary commands on the host operating system, potentially leading to a full system compromise.\\n\\n## Remediations\\n\\nPrevent OS command injection by adhering to the following practices:\\n\\n❌ Avoid Direct User Input\\n\\nDo not use user-supplied information for constructing OS commands or command-line arguments, as this can lead to command injection vulnerabilities.\\n\\n✅ Implement Input Validation\\n\\nEnsure that any user input is validated against a set of strict rules to ensure it does not contain malicious characters or patterns.\\n\\n✅ Use Hardcoded Arguments\\n\\nWhen invoking OS commands, use a hardcoded set of arguments to ensure that user input cannot alter the command's behavior.\\n\\n✅ Utilize Temporary Files Securely\\n\\nWhen dealing with files, create temporary files in a restricted directory, avoiding the use of user-supplied filenames.\\n\\n✅ Employ Native Libraries\\n\\nWhere possible, use native libraries or features of the programming language instead of invoking shell commands, which can be safer and more efficient.\\n\\n\`\`\`go\\nimport (\\n \\"io/ioutil\\"\\n \\"os/exec\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n userData := []byte(\\"user data\\")\\n\\n // Create a temporary file in a secure, application-specific directory\\n f, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Write user data to the temporary file\\n if _, err := f.Write(userData); err != nil {\\n f.Close()\\n log.Fatal(err)\\n }\\n\\n // Close the file handle\\n if err := f.Close(); err != nil {\\n log.Fatal(err)\\n }\\n\\n // Execute a command using the temporary file, avoiding direct user input for filenames\\n out, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\n if err != nil {\\n log.Fatal(err)\\n }\\n // Output can be used for further processing\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_subproc_subproc", "line_number": 94, "full_filename": "/tmp/bearer-scan/main.go", @@ -247,7 +247,7 @@ exports[`go_gosec_subproc_subproc test 1`] = ` ], "id": "go_gosec_subproc_subproc", "title": "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "description": "## Description\\n\\nOS command injection is a perilous vulnerability that has the potential to lead to full system compromise. Adversaries may exploit this flaw by feeding arbitrary commands or arguments intended for execution. This opens the door for unchecked operations, which could wreak havoc on the system or reveal sensitive information.\\n\\n## Remediations\\n\\n✅ Avoid User Input in OS Commands\\n\\nAlways steer clear of incorporating user input when formulating commands or their arguments, especially for functions responsible for OS command execution. This includes, but is not limited to, filenames provided during user uploads/downloads.\\n\\n✅ Hardcoded Argument Set\\n\\nEnsure your application exclusively uses a hardcoded set of arguments for OS command executions. If filenames are being passed to such functions, consider adopting a hash of the filename or another distinctive identifier.\\n\\n✅ Opt for Native Libraries\\n\\nDue to the inherent risks associated with third-party commands and the possibility of undisclosed attack vectors, prefer using native libraries that offer the same capabilities as opposed to resorting to OS system commands.\\n\\n✅ Specify Full Path in Windows\\n\\nIf the environment is Windows-based, always provide the complete path information when denoting the OS command. This circumvents potential vulnerabilities stemming from untrusted search paths (CWE-426).\\n\\n\`\`\`go\\nuserData := []byte(\\"user data\\")\\n// create a temporary file in the application-specific directory\\nf, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\nif err != nil {\\n log.Fatal(err)\\n}\\n\\nif _, err := f.Write(userData); err != nil {\\n log.Fatal(err)\\n}\\n\\nif err := f.Close(); err != nil {\\n log.Fatal(err)\\n}\\n\\n// use the absolute path to the binary and the name of the temporary file\\n// steering clear of any user-provided filenames\\nout, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\nif err != nil {\\n log.Fatal(err)\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", + "description": "## Description\\n\\nOS command injection is a severe security vulnerability that occurs when an application incorrectly processes user input. This flaw can allow attackers to execute arbitrary commands on the host operating system, potentially leading to a full system compromise.\\n\\n## Remediations\\n\\nPrevent OS command injection by adhering to the following practices:\\n\\n❌ Avoid Direct User Input\\n\\nDo not use user-supplied information for constructing OS commands or command-line arguments, as this can lead to command injection vulnerabilities.\\n\\n✅ Implement Input Validation\\n\\nEnsure that any user input is validated against a set of strict rules to ensure it does not contain malicious characters or patterns.\\n\\n✅ Use Hardcoded Arguments\\n\\nWhen invoking OS commands, use a hardcoded set of arguments to ensure that user input cannot alter the command's behavior.\\n\\n✅ Utilize Temporary Files Securely\\n\\nWhen dealing with files, create temporary files in a restricted directory, avoiding the use of user-supplied filenames.\\n\\n✅ Employ Native Libraries\\n\\nWhere possible, use native libraries or features of the programming language instead of invoking shell commands, which can be safer and more efficient.\\n\\n\`\`\`go\\nimport (\\n \\"io/ioutil\\"\\n \\"os/exec\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n userData := []byte(\\"user data\\")\\n\\n // Create a temporary file in a secure, application-specific directory\\n f, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Write user data to the temporary file\\n if _, err := f.Write(userData); err != nil {\\n f.Close()\\n log.Fatal(err)\\n }\\n\\n // Close the file handle\\n if err := f.Close(); err != nil {\\n log.Fatal(err)\\n }\\n\\n // Execute a command using the temporary file, avoiding direct user input for filenames\\n out, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\n if err != nil {\\n log.Fatal(err)\\n }\\n // Output can be used for further processing\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_subproc_subproc", "line_number": 117, "full_filename": "/tmp/bearer-scan/main.go", @@ -281,7 +281,7 @@ exports[`go_gosec_subproc_subproc test 1`] = ` ], "id": "go_gosec_subproc_subproc", "title": "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "description": "## Description\\n\\nOS command injection is a perilous vulnerability that has the potential to lead to full system compromise. Adversaries may exploit this flaw by feeding arbitrary commands or arguments intended for execution. This opens the door for unchecked operations, which could wreak havoc on the system or reveal sensitive information.\\n\\n## Remediations\\n\\n✅ Avoid User Input in OS Commands\\n\\nAlways steer clear of incorporating user input when formulating commands or their arguments, especially for functions responsible for OS command execution. This includes, but is not limited to, filenames provided during user uploads/downloads.\\n\\n✅ Hardcoded Argument Set\\n\\nEnsure your application exclusively uses a hardcoded set of arguments for OS command executions. If filenames are being passed to such functions, consider adopting a hash of the filename or another distinctive identifier.\\n\\n✅ Opt for Native Libraries\\n\\nDue to the inherent risks associated with third-party commands and the possibility of undisclosed attack vectors, prefer using native libraries that offer the same capabilities as opposed to resorting to OS system commands.\\n\\n✅ Specify Full Path in Windows\\n\\nIf the environment is Windows-based, always provide the complete path information when denoting the OS command. This circumvents potential vulnerabilities stemming from untrusted search paths (CWE-426).\\n\\n\`\`\`go\\nuserData := []byte(\\"user data\\")\\n// create a temporary file in the application-specific directory\\nf, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\nif err != nil {\\n log.Fatal(err)\\n}\\n\\nif _, err := f.Write(userData); err != nil {\\n log.Fatal(err)\\n}\\n\\nif err := f.Close(); err != nil {\\n log.Fatal(err)\\n}\\n\\n// use the absolute path to the binary and the name of the temporary file\\n// steering clear of any user-provided filenames\\nout, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\nif err != nil {\\n log.Fatal(err)\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", + "description": "## Description\\n\\nOS command injection is a severe security vulnerability that occurs when an application incorrectly processes user input. This flaw can allow attackers to execute arbitrary commands on the host operating system, potentially leading to a full system compromise.\\n\\n## Remediations\\n\\nPrevent OS command injection by adhering to the following practices:\\n\\n❌ Avoid Direct User Input\\n\\nDo not use user-supplied information for constructing OS commands or command-line arguments, as this can lead to command injection vulnerabilities.\\n\\n✅ Implement Input Validation\\n\\nEnsure that any user input is validated against a set of strict rules to ensure it does not contain malicious characters or patterns.\\n\\n✅ Use Hardcoded Arguments\\n\\nWhen invoking OS commands, use a hardcoded set of arguments to ensure that user input cannot alter the command's behavior.\\n\\n✅ Utilize Temporary Files Securely\\n\\nWhen dealing with files, create temporary files in a restricted directory, avoiding the use of user-supplied filenames.\\n\\n✅ Employ Native Libraries\\n\\nWhere possible, use native libraries or features of the programming language instead of invoking shell commands, which can be safer and more efficient.\\n\\n\`\`\`go\\nimport (\\n \\"io/ioutil\\"\\n \\"os/exec\\"\\n \\"log\\"\\n)\\n\\nfunc main() {\\n userData := []byte(\\"user data\\")\\n\\n // Create a temporary file in a secure, application-specific directory\\n f, err := ioutil.TempFile(\\"/var/app/restricted\\", \\"temp-*.dat\\")\\n if err != nil {\\n log.Fatal(err)\\n }\\n\\n // Write user data to the temporary file\\n if _, err := f.Write(userData); err != nil {\\n f.Close()\\n log.Fatal(err)\\n }\\n\\n // Close the file handle\\n if err := f.Close(); err != nil {\\n log.Fatal(err)\\n }\\n\\n // Execute a command using the temporary file, avoiding direct user input for filenames\\n out, err := exec.Command(\\"/bin/cat\\", f.Name()).Output()\\n if err != nil {\\n log.Fatal(err)\\n }\\n // Output can be used for further processing\\n}\\n\`\`\`\\n\\n## Resources\\n\\n- [OWASP OS Command Injection Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_subproc_subproc", "line_number": 127, "full_filename": "/tmp/bearer-scan/main.go",