Fix inverted rule description

Bearer · Jan 31, 2024 · 5062152 · 5062152
1 parent 1ef57db
commit 5062152
Show file tree

Hide file tree

Showing 2 changed files with 72 additions and 72 deletions.
diff --git a/rules/go/gosec/injection/subproc_injection.yml b/rules/go/gosec/injection/subproc_injection.yml
@@ -24,65 +24,47 @@ metadata:
   remediation_message: |
     ## Description
 
-    OS command injection is a severe security vulnerability that occurs when an application incorrectly processes user input. This flaw can allow attackers to execute arbitrary commands on the host operating system, potentially leading to a full system compromise.
+    OS command injection is a perilous vulnerability that has the potential to lead to full system compromise. Adversaries may exploit this flaw by feeding arbitrary commands or arguments intended for execution. This opens the door for unchecked operations, which could wreak havoc on the system or reveal sensitive information.
 
     ## Remediations
 
-    Prevent OS command injection by adhering to the following practices:
+    ✅ Avoid User Input in OS Commands
 
-    ❌ Avoid Direct User Input
+    Always steer clear of incorporating user input when formulating commands or their arguments, especially for functions responsible for OS command execution. This includes, but is not limited to, filenames provided during user uploads/downloads.
 
-    Do not use user-supplied information for constructing OS commands or command-line arguments, as this can lead to command injection vulnerabilities.
+    ✅ Hardcoded Argument Set
 
-    ✅ Implement Input Validation
+    Ensure your application exclusively uses a hardcoded set of arguments for OS command executions. If filenames are being passed to such functions, consider adopting a hash of the filename or another distinctive identifier.
 
-    Ensure that any user input is validated against a set of strict rules to ensure it does not contain malicious characters or patterns.
+    ✅ Opt for Native Libraries
 
-    ✅ Use Hardcoded Arguments
+    Due to the inherent risks associated with third-party commands and the possibility of undisclosed attack vectors, prefer using native libraries that offer the same capabilities as opposed to resorting to OS system commands.
 
-    When invoking OS commands, use a hardcoded set of arguments to ensure that user input cannot alter the command's behavior.
+    ✅ Specify Full Path in Windows
 
-    ✅ Utilize Temporary Files Securely
+    If the environment is Windows-based, always provide the complete path information when denoting the OS command. This circumvents potential vulnerabilities stemming from untrusted search paths (CWE-426).
 
-    When dealing with files, create temporary files in a restricted directory, avoiding the use of user-supplied filenames.
+    ```go
+    userData := []byte("user data")
+    // create a temporary file in the application-specific directory
+    f, err := ioutil.TempFile("/var/app/restricted", "temp-*.dat")
+    if err != nil {
+      log.Fatal(err)
+    }
 
-    ✅ Employ Native Libraries
+    if _, err := f.Write(userData); err != nil {
+      log.Fatal(err)
+    }
 
-    Where possible, use native libraries or features of the programming language instead of invoking shell commands, which can be safer and more efficient.
+    if err := f.Close(); err != nil {
+      log.Fatal(err)
+    }
 
-    ```go
-    import (
-        "io/ioutil"
-        "os/exec"
-        "log"
-    )
-
-    func main() {
-        userData := []byte("user data")
-
-        // Create a temporary file in a secure, application-specific directory
-        f, err := ioutil.TempFile("/var/app/restricted", "temp-*.dat")
-        if err != nil {
-            log.Fatal(err)
-        }
-
-        // Write user data to the temporary file
-        if _, err := f.Write(userData); err != nil {
-            f.Close()
-            log.Fatal(err)
-        }
-
-        // Close the file handle
-        if err := f.Close(); err != nil {
-            log.Fatal(err)
-        }
-
-        // Execute a command using the temporary file, avoiding direct user input for filenames
-        out, err := exec.Command("/bin/cat", f.Name()).Output()
-        if err != nil {
-            log.Fatal(err)
-        }
-        // Output can be used for further processing
+    // use the absolute path to the binary and the name of the temporary file
+    // steering clear of any user-provided filenames
+    out, err := exec.Command("/bin/cat", f.Name()).Output()
+    if err != nil {
+      log.Fatal(err)
     }
     ```
 

diff --git a/rules/go/gosec/subproc/subproc.yml b/rules/go/gosec/subproc/subproc.yml
@@ -29,47 +29,65 @@ metadata:
   remediation_message: |
     ## Description
 
-    OS command injection is a perilous vulnerability that has the potential to lead to full system compromise. Adversaries may exploit this flaw by feeding arbitrary commands or arguments intended for execution. This opens the door for unchecked operations, which could wreak havoc on the system or reveal sensitive information.
+    OS command injection is a severe security vulnerability that occurs when an application incorrectly processes user input. This flaw can allow attackers to execute arbitrary commands on the host operating system, potentially leading to a full system compromise.
 
     ## Remediations
 
-    ✅ Avoid User Input in OS Commands
+    Prevent OS command injection by adhering to the following practices:
 
-    Always steer clear of incorporating user input when formulating commands or their arguments, especially for functions responsible for OS command execution. This includes, but is not limited to, filenames provided during user uploads/downloads.
+    ❌ Avoid Direct User Input
 
-    ✅ Hardcoded Argument Set
+    Do not use user-supplied information for constructing OS commands or command-line arguments, as this can lead to command injection vulnerabilities.
 
-    Ensure your application exclusively uses a hardcoded set of arguments for OS command executions. If filenames are being passed to such functions, consider adopting a hash of the filename or another distinctive identifier.
+    ✅ Implement Input Validation
 
-    ✅ Opt for Native Libraries
+    Ensure that any user input is validated against a set of strict rules to ensure it does not contain malicious characters or patterns.
 
-    Due to the inherent risks associated with third-party commands and the possibility of undisclosed attack vectors, prefer using native libraries that offer the same capabilities as opposed to resorting to OS system commands.
+    ✅ Use Hardcoded Arguments
 
-    ✅ Specify Full Path in Windows
+    When invoking OS commands, use a hardcoded set of arguments to ensure that user input cannot alter the command's behavior.
 
-    If the environment is Windows-based, always provide the complete path information when denoting the OS command. This circumvents potential vulnerabilities stemming from untrusted search paths (CWE-426).
+    ✅ Utilize Temporary Files Securely
 
-    ```go
-    userData := []byte("user data")
-    // create a temporary file in the application-specific directory
-    f, err := ioutil.TempFile("/var/app/restricted", "temp-*.dat")
-    if err != nil {
-      log.Fatal(err)
-    }
+    When dealing with files, create temporary files in a restricted directory, avoiding the use of user-supplied filenames.
 
-    if _, err := f.Write(userData); err != nil {
-      log.Fatal(err)
-    }
+    ✅ Employ Native Libraries
 
-    if err := f.Close(); err != nil {
-      log.Fatal(err)
-    }
+    Where possible, use native libraries or features of the programming language instead of invoking shell commands, which can be safer and more efficient.
 
-    // use the absolute path to the binary and the name of the temporary file
-    // steering clear of any user-provided filenames
-    out, err := exec.Command("/bin/cat", f.Name()).Output()
-    if err != nil {
-      log.Fatal(err)
+    ```go
+    import (
+        "io/ioutil"
+        "os/exec"
+        "log"
+    )
+
+    func main() {
+        userData := []byte("user data")
+
+        // Create a temporary file in a secure, application-specific directory
+        f, err := ioutil.TempFile("/var/app/restricted", "temp-*.dat")
+        if err != nil {
+            log.Fatal(err)
+        }
+
+        // Write user data to the temporary file
+        if _, err := f.Write(userData); err != nil {
+            f.Close()
+            log.Fatal(err)
+        }
+
+        // Close the file handle
+        if err := f.Close(); err != nil {
+            log.Fatal(err)
+        }
+
+        // Execute a command using the temporary file, avoiding direct user input for filenames
+        out, err := exec.Command("/bin/cat", f.Name()).Output()
+        if err != nil {
+            log.Fatal(err)
+        }
+        // Output can be used for further processing
     }
     ```