Add detection for potential Go command injection
GitLab Secure Code Guidelines state:
Do not use
sh
, as it bypasses internal protections:out, _ = exec.Command("sh", "-c", "echo 1 | cat /etc/passwd").Output()
We should enforce / warn about this.
This is part of an AppSec + ProdSecEng OKR to improve how we use our secure code guidelines: https://gitlab.com/gitlab-com/gl-security/appsec/appsec-team/-/issues/528+
TODO
-
Research: - How do we currently warn or enforce secure Go coding practices?
- Pre-commit:
-
gitlab-org/gitlab
doesn't appear to use a Go linter inlefthook.yml
.
-
- SAST?
-
gosecisn't used anymore - semgrep
-
- Pre-commit:
- In which project(s) does this scan / check need to be made?
- Defo
gitlab-org/gitlab
(workhorse is go),gitaly
,gitlab-pages
,gitlab-runner
, probably a handful of others - Any project?...
- Defo
- How do we currently warn or enforce secure Go coding practices?
-
Solution Design: decide how to implement this check - Update https://gitlab.com/gitlab-com/gl-security/appsec/sast-custom-rules with https://semgrep.dev/r?q=go.lang.security.audit.dangerous-exec-command.dangerous-exec-command
- Update individual project CI files to explicitly use https://semgrep.dev/r?q=go.lang.security.audit.dangerous-exec-command.dangerous-exec-command
- Copy https://semgrep.dev/r?q=go.lang.security.audit.dangerous-exec-command.dangerous-exec-command over to https://gitlab.com/gitlab-org/security-products/sast-rules. (Copyright / Legal considerations?)
- Write our own semgrep rule
-
Build -
Update Secure Code Guideline documentation
Edited by Nick Malcolm