From cb57f418eb126519898a21d2b23ff0654d269540 Mon Sep 17 00:00:00 2001 From: elsapet Date: Fri, 10 May 2024 15:50:09 +0200 Subject: [PATCH 1/3] feat(python): os command injection (CWE-78) --- rules/python/lang/os_command_injection.yml | 129 ++++++++++++++++++ .../python/lang/os_command_injection/test.js | 20 +++ .../os_command_injection/testdata/main.py | 29 ++++ 3 files changed, 178 insertions(+) create mode 100644 rules/python/lang/os_command_injection.yml create mode 100644 tests/python/lang/os_command_injection/test.js create mode 100644 tests/python/lang/os_command_injection/testdata/main.py diff --git a/rules/python/lang/os_command_injection.yml b/rules/python/lang/os_command_injection.yml new file mode 100644 index 00000000..41b26ef8 --- /dev/null +++ b/rules/python/lang/os_command_injection.yml @@ -0,0 +1,129 @@ +imports: + - python_shared_common_external_input +patterns: + - pattern: $.$($<...>$$<...>) + filters: + - variable: OS + detection: python_lang_os_command_injection_external_os_init + - variable: METHOD + values: + - system + - popen + - popen2 + - popen3 + - popen4 + - variable: EXTERNAL_INPUT + detection: python_shared_common_external_input + scope: result + - pattern: getattr($, "system")($<...>$$<...>) + filters: + - variable: OS + detection: python_lang_os_command_injection_external_os_init + - variable: EXTERNAL_INPUT + detection: python_shared_common_external_input + scope: result + - pattern: subprocess.$($$<...>) + filters: + - variable: METHOD + values: + - call + - check_call + - check_output + - run + - Popen + - variable: SUBPROC_EXTERNAL_INPUT + detection: python_lang_os_command_injection_external_input_subproc + scope: result + - pattern: $.$($<_>, $<...>$$<...>, $<...>) + filters: + - variable: OS + detection: python_lang_os_command_injection_external_os_init + - variable: METHOD + values: + - spawnl + - spawnle + - spawnlp + - spawnlpe + - spawnv + - spawnve + - spawnvp + - spawnvpe + - posix_spawn + - posix_spawnp + - startfile + - variable: EXTERNAL_INPUT + detection: python_shared_common_external_input + scope: result + - pattern: $.$($<_>, $, ["-c", $<...>$$<...>], $<...>) + filters: + - variable: OS + detection: python_lang_os_command_injection_external_os_init + - variable: BASH + regex: (.*)(sh|bash|ksh|csh|tcsh|zsh) + - variable: METHOD + values: + - spawnv + - spawnve + - spawnvp + - spawnvp + - spawnvpe + - posix_spawn + - posix_spawnp + - variable: EXTERNAL_INPUT + detection: python_shared_common_external_input + scope: result + - pattern: $.$($<_>, $, "-c", $<...>$$<...>, $<...>) + filters: + - variable: OS + detection: python_lang_os_command_injection_external_os_init + - variable: BASH + regex: (.*)(sh|bash|ksh|csh|tcsh|zsh) + - variable: METHOD + values: + - spawnl + - spawnle + - spawnlp + - spawnlpe + - variable: EXTERNAL_INPUT + detection: python_shared_common_external_input + scope: result +auxiliary: + - id: python_lang_os_command_injection_external_os_init + patterns: + - os + - __import__("os") + - id: python_lang_os_command_injection_external_input_subproc + patterns: + - pattern: $<...>$$<...> + filters: + - variable: EXTERNAL_INPUT + detection: python_shared_common_external_input + scope: result + - pattern: | + [$<...>$$<...>] + filters: + - variable: EXTERNAL_INPUT + detection: python_shared_common_external_input + scope: result +languages: + - python +severity: critical +metadata: + description: Unsanitized user input in OS command + remediation_message: |- + ## Description + + Directly incorporating external or user-defined input into an OS command exposes the system to possible command injection attacks. This vulnerability allows attackers to execute unauthorized commands on the operating system, potentially leading to a compromise of system integrity. + + ## Remediations + + - **Do not** use OS commands that include dynamic input directly. Instead, explore safer alternatives such as libraries or built-in functions that achieve the same goal without executing system commands. + - **Do** use hardcoded values for any input that is incorporated into OS commands. This approach minimizes the risk by ensuring only predefined inputs are used, thus preventing attackers from injecting malicious commands. Use safe lists or dictionaries if you need to be dynamic. + + ## References + + - [OWASP command injection explained](https://owasp.org/www-community/attacks/Command_Injection) + cwe_id: + - 78 + id: python_lang_os_command_injection + documentation_url: https://docs.bearer.com/reference/rules/python_lang_os_command_injection diff --git a/tests/python/lang/os_command_injection/test.js b/tests/python/lang/os_command_injection/test.js new file mode 100644 index 00000000..6bb81e79 --- /dev/null +++ b/tests/python/lang/os_command_injection/test.js @@ -0,0 +1,20 @@ +const { + createNewInvoker, + getEnvironment, +} = require("../../../helper.js") +const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) + +describe(ruleId, () => { + const invoke = createNewInvoker(ruleId, ruleFile, testBase) + + test("os_command_injection", () => { + const testCase = "main.py" + + const results = invoke(testCase) + + expect(results).toEqual({ + Missing: [], + Extra: [] + }) + }) +}) \ No newline at end of file diff --git a/tests/python/lang/os_command_injection/testdata/main.py b/tests/python/lang/os_command_injection/testdata/main.py new file mode 100644 index 00000000..e3a06702 --- /dev/null +++ b/tests/python/lang/os_command_injection/testdata/main.py @@ -0,0 +1,29 @@ +# Use bearer:expected python_lang_os_command_injection to flag expected findings + +my_os = __import__("os") +# bearer:expected python_lang_os_command_injection +getattr(my_os, "system")(input()) + +def bad(): + unsafe = input("what hack today?") + # bearer:expected python_lang_os_command_injection + subprocess.run([unsafe, "exit 0"], shell=True, capture_output=True) + # bearer:expected python_lang_os_command_injection + os.system(unsafe) + + # bearer:expected python_lang_os_command_injection + subprocess.check_output( + unsafe, + stderr=subprocess.STDOUT, + shell=True) + +def bad2(): + unsafe = sys.argv[1] + # bearer:expected python_lang_os_command_injection + os.spawnlp(os.P_WAIT, unsafe) + # bearer:expected python_lang_os_command_injection + os.spawnve(os.P_WAIT, "/bin/bash", ["-c", unsafe], os.environ) + +def ok(): + os.spawnve(os.P_WAIT, "/bin/ls", ["-a"], os.environ) + subprocess.run(["dir"], shell=False) \ No newline at end of file From f52142161e74bdfa864be24827cfe261cbdaf589 Mon Sep 17 00:00:00 2001 From: elsapet Date: Tue, 14 May 2024 17:33:48 +0200 Subject: [PATCH 2/3] fix: simplify external input patterns --- rules/python/lang/os_command_injection.yml | 19 +++---------------- 1 file changed, 3 insertions(+), 16 deletions(-) diff --git a/rules/python/lang/os_command_injection.yml b/rules/python/lang/os_command_injection.yml index 41b26ef8..f9a8f829 100644 --- a/rules/python/lang/os_command_injection.yml +++ b/rules/python/lang/os_command_injection.yml @@ -22,7 +22,7 @@ patterns: - variable: EXTERNAL_INPUT detection: python_shared_common_external_input scope: result - - pattern: subprocess.$($$<...>) + - pattern: subprocess.$($$<...>) filters: - variable: METHOD values: @@ -31,8 +31,8 @@ patterns: - check_output - run - Popen - - variable: SUBPROC_EXTERNAL_INPUT - detection: python_lang_os_command_injection_external_input_subproc + - variable: EXTERNAL_INPUT + detection: python_shared_common_external_input scope: result - pattern: $.$($<_>, $<...>$$<...>, $<...>) filters: @@ -92,19 +92,6 @@ auxiliary: patterns: - os - __import__("os") - - id: python_lang_os_command_injection_external_input_subproc - patterns: - - pattern: $<...>$$<...> - filters: - - variable: EXTERNAL_INPUT - detection: python_shared_common_external_input - scope: result - - pattern: | - [$<...>$$<...>] - filters: - - variable: EXTERNAL_INPUT - detection: python_shared_common_external_input - scope: result languages: - python severity: critical From 51e8e4e2152686b6820be146cd008021df177434 Mon Sep 17 00:00:00 2001 From: elsapet Date: Wed, 15 May 2024 15:09:20 +0200 Subject: [PATCH 3/3] fix: use shared import rule --- rules/python/lang/os_command_injection.yml | 129 +++++++++++------- .../os_command_injection/testdata/main.py | 8 +- 2 files changed, 82 insertions(+), 55 deletions(-) diff --git a/rules/python/lang/os_command_injection.yml b/rules/python/lang/os_command_injection.yml index f9a8f829..e0e50afa 100644 --- a/rules/python/lang/os_command_injection.yml +++ b/rules/python/lang/os_command_injection.yml @@ -1,97 +1,122 @@ imports: - python_shared_common_external_input + - python_shared_lang_import1 patterns: - - pattern: $.$($<...>$$<...>) + - pattern: $($<...>$$<...>) filters: - variable: OS - detection: python_lang_os_command_injection_external_os_init - - variable: METHOD - values: - - system - - popen - - popen2 - - popen3 - - popen4 + detection: python_shared_lang_import1 + scope: cursor + filters: + - variable: MODULE1 + values: [os] + - variable: NAME + values: + - system + - popen + - popen2 + - popen3 + - popen4 - variable: EXTERNAL_INPUT detection: python_shared_common_external_input scope: result - pattern: getattr($, "system")($<...>$$<...>) filters: - variable: OS - detection: python_lang_os_command_injection_external_os_init + detection: python_lang_os_command_injection_external_os_module - variable: EXTERNAL_INPUT detection: python_shared_common_external_input scope: result - - pattern: subprocess.$($$<...>) + - pattern: $($$<...>) filters: - - variable: METHOD - values: - - call - - check_call - - check_output - - run - - Popen + - variable: SUBPROCESS + detection: python_shared_lang_import1 + scope: cursor + filters: + - variable: MODULE1 + values: [subprocess] + - variable: NAME + values: + - call + - check_call + - check_output + - run + - Popen - variable: EXTERNAL_INPUT detection: python_shared_common_external_input scope: result - - pattern: $.$($<_>, $<...>$$<...>, $<...>) + - pattern: $($<_>, $<...>$$<...>, $<...>) filters: - variable: OS - detection: python_lang_os_command_injection_external_os_init - - variable: METHOD - values: - - spawnl - - spawnle - - spawnlp - - spawnlpe - - spawnv - - spawnve - - spawnvp - - spawnvpe - - posix_spawn - - posix_spawnp - - startfile + detection: python_shared_lang_import1 + scope: cursor + filters: + - variable: MODULE1 + values: [os] + - variable: NAME + values: + - spawnl + - spawnle + - spawnlp + - spawnlpe + - spawnv + - spawnve + - spawnvp + - spawnvpe + - posix_spawn + - posix_spawnp + - startfile - variable: EXTERNAL_INPUT detection: python_shared_common_external_input scope: result - - pattern: $.$($<_>, $, ["-c", $<...>$$<...>], $<...>) + - pattern: $($<_>, $, ["-c", $<...>$$<...>], $<...>) filters: - variable: OS - detection: python_lang_os_command_injection_external_os_init + detection: python_shared_lang_import1 + scope: cursor + filters: + - variable: MODULE1 + values: [os] + - variable: NAME + values: + - spawnv + - spawnve + - spawnvp + - spawnvp + - spawnvpe + - posix_spawn + - posix_spawnp - variable: BASH regex: (.*)(sh|bash|ksh|csh|tcsh|zsh) - - variable: METHOD - values: - - spawnv - - spawnve - - spawnvp - - spawnvp - - spawnvpe - - posix_spawn - - posix_spawnp - variable: EXTERNAL_INPUT detection: python_shared_common_external_input scope: result - pattern: $.$($<_>, $, "-c", $<...>$$<...>, $<...>) filters: - variable: OS - detection: python_lang_os_command_injection_external_os_init + detection: python_shared_lang_import1 + scope: cursor + filters: + - variable: MODULE1 + values: [os] + - variable: NAME + values: + - spawnl + - spawnle + - spawnlp + - spawnlpe - variable: BASH regex: (.*)(sh|bash|ksh|csh|tcsh|zsh) - - variable: METHOD - values: - - spawnl - - spawnle - - spawnlp - - spawnlpe - variable: EXTERNAL_INPUT detection: python_shared_common_external_input scope: result auxiliary: - - id: python_lang_os_command_injection_external_os_init + - id: python_lang_os_command_injection_external_os_module patterns: - os - __import__("os") + - import $os + - import os as $$<_> languages: - python severity: critical diff --git a/tests/python/lang/os_command_injection/testdata/main.py b/tests/python/lang/os_command_injection/testdata/main.py index e3a06702..3346977d 100644 --- a/tests/python/lang/os_command_injection/testdata/main.py +++ b/tests/python/lang/os_command_injection/testdata/main.py @@ -4,15 +4,17 @@ # bearer:expected python_lang_os_command_injection getattr(my_os, "system")(input()) +import os +import subprocess as subproc def bad(): unsafe = input("what hack today?") # bearer:expected python_lang_os_command_injection - subprocess.run([unsafe, "exit 0"], shell=True, capture_output=True) + subproc.run([unsafe, "exit 0"], shell=True, capture_output=True) # bearer:expected python_lang_os_command_injection os.system(unsafe) # bearer:expected python_lang_os_command_injection - subprocess.check_output( + subproc.check_output( unsafe, stderr=subprocess.STDOUT, shell=True) @@ -26,4 +28,4 @@ def bad2(): def ok(): os.spawnve(os.P_WAIT, "/bin/ls", ["-a"], os.environ) - subprocess.run(["dir"], shell=False) \ No newline at end of file + subproc.run(["dir"], shell=False) \ No newline at end of file