Skip to content

Resolve vulnerability: Improper neutralization of special elements used in an OS command ('OS Command Injection')

Thiago Figueiró requested to merge remediate/improper-neutralization-of-special-elements-used-in-an-os-comma-D20240516T031543 into master

AI GENERATED PATCH

The suggested code changes were generated by GitLab Duo Vulnerability Resolution, an AI feature. Use this feature with caution. Before you apply the code changes, carefully review and test them, to ensure that they solve the vulnerability, don't harm the functional behavior of your application or introduce new vulnerabilities.

The large language model that generated the suggested code changes was only provided with the affected lines of code, and the vulnerability in that code. It is not aware of any functionality outside of this context.

Please see our documentation for more information about this feature. We'd love to hear your feedback so we can improve on this feature as we work to bring it to general availability.

Description:

OS command injection is a critical vulnerability that can lead to a full system compromise as it may allow an adversary to pass in arbitrary commands or arguments to be executed.

User input should never be used in constructing commands or command arguments to functions which execute OS commands. This includes filenames supplied by user uploads or downloads.

Ensure your application does not:

  • Use user-supplied information in the process name to execute.
  • Use user-supplied information in an OS command execution function which does not escape shell meta-characters.
  • Use user-supplied information in arguments to OS commands.

The application should have a hardcoded set of arguments that are to be passed to OS commands. If filenames are being passed to these functions, it is recommended that a hash of the filename be used instead, or some other unique identifier. It is strongly recommended that a native library that implements the same functionality be used instead of using OS system commands, due to the risk of unknown attacks against third party commands.

If operating in Windows environments, when specifying the OS command, ensure the application uses the full path information, otherwise the OS may attempt to look up which process to execute and could be vulnerable to untrusted search path vulnerabilities (CWE-426).

Example of safely executing an OS command:

userData := []byte("user data")
// create a temporary file in the application specific directory
f, err := ioutil.TempFile("/var/app/restricted", "temp-*.dat")
if err != nil {
  log.Fatal(err)
}

if _, err := f.Write(userData); err != nil {
  log.Fatal(err)
}

if err := f.Close(); err != nil {
  log.Fatal(err)
}

// pass the full path to the binary and the name of the temporary file
// instead of any user supplied filename
out, err := exec.Command("/bin/cat", f.Name()).Output()
if err != nil {
  log.Fatal(err)
}

For more information on OS command injection, see OWASP's guide: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html

Identifiers:

  • Gosec Rule ID G204
  • CWE-78
  • gosec.G204-1
  • CWE-95
  • A1 - Injection
  • A1:2017 - Injection
  • A03:2021 - Injection

Merge request reports