diff --git a/rules/python/lang/os_command_injection.yml b/rules/python/lang/os_command_injection.yml new file mode 100644 index 00000000..e0e50afa --- /dev/null +++ b/rules/python/lang/os_command_injection.yml @@ -0,0 +1,141 @@ +imports: + - python_shared_common_external_input + - python_shared_lang_import1 +patterns: + - pattern: $($<...>$$<...>) + filters: + - variable: OS + detection: python_shared_lang_import1 + scope: cursor + filters: + - variable: MODULE1 + values: [os] + - variable: NAME + values: + - system + - popen + - popen2 + - popen3 + - popen4 + - variable: EXTERNAL_INPUT + detection: python_shared_common_external_input + scope: result + - pattern: getattr($, "system")($<...>$$<...>) + filters: + - variable: OS + detection: python_lang_os_command_injection_external_os_module + - variable: EXTERNAL_INPUT + detection: python_shared_common_external_input + scope: result + - pattern: $($$<...>) + filters: + - variable: SUBPROCESS + detection: python_shared_lang_import1 + scope: cursor + filters: + - variable: MODULE1 + values: [subprocess] + - variable: NAME + values: + - call + - check_call + - check_output + - run + - Popen + - variable: EXTERNAL_INPUT + detection: python_shared_common_external_input + scope: result + - pattern: $($<_>, $<...>$$<...>, $<...>) + filters: + - variable: OS + detection: python_shared_lang_import1 + scope: cursor + filters: + - variable: MODULE1 + values: [os] + - variable: NAME + values: + - spawnl + - spawnle + - spawnlp + - spawnlpe + - spawnv + - spawnve + - spawnvp + - spawnvpe + - posix_spawn + - posix_spawnp + - startfile + - variable: EXTERNAL_INPUT + detection: python_shared_common_external_input + scope: result + - pattern: $($<_>, $, ["-c", $<...>$$<...>], $<...>) + filters: + - variable: OS + detection: python_shared_lang_import1 + scope: cursor + filters: + - variable: MODULE1 + values: [os] + - variable: NAME + values: + - spawnv + - spawnve + - spawnvp + - spawnvp + - spawnvpe + - posix_spawn + - posix_spawnp + - variable: BASH + regex: (.*)(sh|bash|ksh|csh|tcsh|zsh) + - variable: EXTERNAL_INPUT + detection: python_shared_common_external_input + scope: result + - pattern: $.$($<_>, $, "-c", $<...>$$<...>, $<...>) + filters: + - variable: OS + detection: python_shared_lang_import1 + scope: cursor + filters: + - variable: MODULE1 + values: [os] + - variable: NAME + values: + - spawnl + - spawnle + - spawnlp + - spawnlpe + - variable: BASH + regex: (.*)(sh|bash|ksh|csh|tcsh|zsh) + - variable: EXTERNAL_INPUT + detection: python_shared_common_external_input + scope: result +auxiliary: + - id: python_lang_os_command_injection_external_os_module + patterns: + - os + - __import__("os") + - import $os + - import os as $$<_> +languages: + - python +severity: critical +metadata: + description: Unsanitized user input in OS command + remediation_message: |- + ## Description + + Directly incorporating external or user-defined input into an OS command exposes the system to possible command injection attacks. This vulnerability allows attackers to execute unauthorized commands on the operating system, potentially leading to a compromise of system integrity. + + ## Remediations + + - **Do not** use OS commands that include dynamic input directly. Instead, explore safer alternatives such as libraries or built-in functions that achieve the same goal without executing system commands. + - **Do** use hardcoded values for any input that is incorporated into OS commands. This approach minimizes the risk by ensuring only predefined inputs are used, thus preventing attackers from injecting malicious commands. Use safe lists or dictionaries if you need to be dynamic. + + ## References + + - [OWASP command injection explained](https://owasp.org/www-community/attacks/Command_Injection) + cwe_id: + - 78 + id: python_lang_os_command_injection + documentation_url: https://docs.bearer.com/reference/rules/python_lang_os_command_injection diff --git a/tests/python/lang/os_command_injection/test.js b/tests/python/lang/os_command_injection/test.js new file mode 100644 index 00000000..6bb81e79 --- /dev/null +++ b/tests/python/lang/os_command_injection/test.js @@ -0,0 +1,20 @@ +const { + createNewInvoker, + getEnvironment, +} = require("../../../helper.js") +const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) + +describe(ruleId, () => { + const invoke = createNewInvoker(ruleId, ruleFile, testBase) + + test("os_command_injection", () => { + const testCase = "main.py" + + const results = invoke(testCase) + + expect(results).toEqual({ + Missing: [], + Extra: [] + }) + }) +}) \ No newline at end of file diff --git a/tests/python/lang/os_command_injection/testdata/main.py b/tests/python/lang/os_command_injection/testdata/main.py new file mode 100644 index 00000000..3346977d --- /dev/null +++ b/tests/python/lang/os_command_injection/testdata/main.py @@ -0,0 +1,31 @@ +# Use bearer:expected python_lang_os_command_injection to flag expected findings + +my_os = __import__("os") +# bearer:expected python_lang_os_command_injection +getattr(my_os, "system")(input()) + +import os +import subprocess as subproc +def bad(): + unsafe = input("what hack today?") + # bearer:expected python_lang_os_command_injection + subproc.run([unsafe, "exit 0"], shell=True, capture_output=True) + # bearer:expected python_lang_os_command_injection + os.system(unsafe) + + # bearer:expected python_lang_os_command_injection + subproc.check_output( + unsafe, + stderr=subprocess.STDOUT, + shell=True) + +def bad2(): + unsafe = sys.argv[1] + # bearer:expected python_lang_os_command_injection + os.spawnlp(os.P_WAIT, unsafe) + # bearer:expected python_lang_os_command_injection + os.spawnve(os.P_WAIT, "/bin/bash", ["-c", unsafe], os.environ) + +def ok(): + os.spawnve(os.P_WAIT, "/bin/ls", ["-a"], os.environ) + subproc.run(["dir"], shell=False) \ No newline at end of file