Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

semgrep app - pr comment test #2918

Closed
wants to merge 1 commit into from
Closed

semgrep app - pr comment test #2918

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 26 additions & 0 deletions cmd/test-semgrep.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
package main

import (
"context"
"fmt"
"os/exec"
)

func main() {
// Another example of untrusted input
input := "ping -c 8 google.com; echo hacked"

ctx := context.Background()

// Vulnerable: input is directly concatenated into the command
command := fmt.Sprintf("sh -c %s", input)
cmd := exec.CommandContext(ctx, command)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Detected non-static command inside Command. Audit the input to 'exec.Command'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.

Ignore this finding from dangerous-exec-command.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep Assistant suggests the following fix: Use exec.CommandContext with static commands and separate arguments to prevent command injection.

View step-by-step instructions
  1. Avoid using fmt.Sprintf to construct the command string. Instead, split the command and its arguments into separate strings to prevent injection.
  2. Use exec.CommandContext with a static command and pass arguments separately. For example, replace command := fmt.Sprintf("sh -c %s", input) with command := "sh" and args := []string{"-c", input}.
  3. Update the exec.CommandContext call to include the arguments: cmd := exec.CommandContext(ctx, command, args...).
  4. Validate or sanitize the input to ensure it does not contain malicious content. For example, you can use a whitelist of allowed commands or patterns.
  5. Consider using the golang.org/x/net/context package for more advanced context handling if needed.

This code change should be a good starting point:

Suggested change
cmd := exec.CommandContext(ctx, command)
package main
import (
"context"
"fmt"
"os/exec"
)
func main() {
// Another example of untrusted input
input := "ping -c 7 google.com; echo hacked"
ctx := context.Background()
// Fix: Use static command and separate arguments
command := "sh"
args := []string{"-c", input}
cmd := exec.CommandContext(ctx, command, args...)
// Execute and print the output
output, err := cmd.CombinedOutput()
if err != nil {
fmt.Println("Error:", err)
}
fmt.Println("Output:", string(output))
}

Leave feedback with a 👍 / 👎. Save a memory with /semgrep remember <your custom instructions>.


// Execute and print the output
output, err := cmd.CombinedOutput()
if err != nil {
fmt.Println("Error:", err)
}
fmt.Println("Output:", string(output))
}

Loading