Skip to content

Commit bad change according to semgrep#1

Open
howinator wants to merge 2 commits intomainfrom
howie-bad-curl
Open

Commit bad change according to semgrep#1
howinator wants to merge 2 commits intomainfrom
howie-bad-curl

Conversation

@howinator
Copy link
Owner

@howinator howinator commented Aug 14, 2024

No description provided.

detail-semgrep-dev-test-app[bot]
detail-semgrep-dev-test-app bot reviewed Aug 14, 2024
View reviewed changes
whatever.bash
eval ${scrpt2}

# ruleid: curl-eval
eval $(curl -L https://raw.githubusercontent.com/something)
Copy link

@detail-semgrep-dev-test-app detail-semgrep-dev-test-app bot Aug 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Data is being eval'd from a curl command. An attacker with control of the server in the curl command could inject malicious code into the eval, resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.

View Dataflow Graph 
flowchart LR
    classDef invis fill:white, stroke: none
    classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none

    subgraph File0["<b>whatever.bash</b>"]
        direction LR
        %% Source

        subgraph Source
            direction LR

            v0["<a href=https://github.com/howinator/dotfiles/blob/5a31c0ece1fbadf712f723734aeead9f77e64336/whatever.bash#L23 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 23] $(curl -L https://raw.githubusercontent.com/something)</a>"]
        end
        %% Intermediate

        %% Sink

        subgraph Sink
            direction LR

            v1["<a href=https://github.com/howinator/dotfiles/blob/5a31c0ece1fbadf712f723734aeead9f77e64336/whatever.bash#L23 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 23] eval $(curl -L https://raw.githubusercontent.com/something)</a>"]
        end
    end
    %% Class Assignment
    Source:::invis
    Sink:::invis

    File0:::invis

    %% Connections

    Source --> Sink
Loading

💬 Reply with /semgrep ignore <reason> or triage in Semgrep AppSec Platform to ignore the finding created by curl-eval.

detail-semgrep-dev-test-app[bot]
detail-semgrep-dev-test-app bot reviewed Aug 14, 2024
View reviewed changes
whatever.bash
echo scrpt
scrpt2=$(${scrpt} | tr -d 1)
# ruleid: curl-eval
eval ${scrpt2}
Copy link

@detail-semgrep-dev-test-app detail-semgrep-dev-test-app bot Aug 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Data is being eval'd from a curl command. An attacker with control of the server in the curl command could inject malicious code into the eval, resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.

View Dataflow Graph 
flowchart LR
    classDef invis fill:white, stroke: none
    classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none

    subgraph File0["<b>whatever.bash</b>"]
        direction LR
        %% Source

        subgraph Source
            direction LR

            v0["<a href=https://github.com/howinator/dotfiles/blob/5a31c0ece1fbadf712f723734aeead9f77e64336/whatever.bash#L16 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 16] $(curl -L https://raw.githubusercontent.com/something)</a>"]
        end
        %% Intermediate

        subgraph Traces0[Traces]
            direction TB

            v2["<a href=https://github.com/howinator/dotfiles/blob/5a31c0ece1fbadf712f723734aeead9f77e64336/whatever.bash#L16 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 16] scrpt</a>"]

            v3["<a href=https://github.com/howinator/dotfiles/blob/5a31c0ece1fbadf712f723734aeead9f77e64336/whatever.bash#L18 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 18] scrpt2</a>"]
        end
            v2 --> v3
        %% Sink

        subgraph Sink
            direction LR

            v1["<a href=https://github.com/howinator/dotfiles/blob/5a31c0ece1fbadf712f723734aeead9f77e64336/whatever.bash#L20 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 20] eval ${scrpt2}</a>"]
        end
    end
    %% Class Assignment
    Source:::invis
    Sink:::invis

    Traces0:::invis
    File0:::invis

    %% Connections

    Source --> Traces0
    Traces0 --> Sink
Loading

💬 Reply with /semgrep ignore <reason> or triage in Semgrep AppSec Platform to ignore the finding created by curl-eval.

detail-semgrep-dev-test-app[bot]
detail-semgrep-dev-test-app bot reviewed Aug 14, 2024
View reviewed changes
whatever.bash
yy=$(curl $SOME_URL)
eval yy
# ruleid: curl-eval
eval ${yy}
Copy link

@detail-semgrep-dev-test-app detail-semgrep-dev-test-app bot Aug 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Data is being eval'd from a curl command. An attacker with control of the server in the curl command could inject malicious code into the eval, resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.

View Dataflow Graph 
flowchart LR
    classDef invis fill:white, stroke: none
    classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none

    subgraph File0["<b>whatever.bash</b>"]
        direction LR
        %% Source

        subgraph Source
            direction LR

            v0["<a href=https://github.com/howinator/dotfiles/blob/5a31c0ece1fbadf712f723734aeead9f77e64336/whatever.bash#L11 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 11] $(curl $SOME_URL)</a>"]
        end
        %% Intermediate

        subgraph Traces0[Traces]
            direction TB

            v2["<a href=https://github.com/howinator/dotfiles/blob/5a31c0ece1fbadf712f723734aeead9f77e64336/whatever.bash#L11 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 11] yy</a>"]
        end
        %% Sink

        subgraph Sink
            direction LR

            v1["<a href=https://github.com/howinator/dotfiles/blob/5a31c0ece1fbadf712f723734aeead9f77e64336/whatever.bash#L14 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 14] eval ${yy}</a>"]
        end
    end
    %% Class Assignment
    Source:::invis
    Sink:::invis

    Traces0:::invis
    File0:::invis

    %% Connections

    Source --> Traces0
    Traces0 --> Sink
Loading

💬 Reply with /semgrep ignore <reason> or triage in Semgrep AppSec Platform to ignore the finding created by curl-eval.

detail-semgrep-dev-test-app[bot]
detail-semgrep-dev-test-app bot reviewed Aug 14, 2024
View reviewed changes
whatever.bash

x=$(curl -L https://raw.githubusercontent.com/something)
# ruleid: curl-eval
eval ${x}
Copy link

@detail-semgrep-dev-test-app detail-semgrep-dev-test-app bot Aug 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Data is being eval'd from a curl command. An attacker with control of the server in the curl command could inject malicious code into the eval, resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.

View Dataflow Graph 
flowchart LR
    classDef invis fill:white, stroke: none
    classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none

    subgraph File0["<b>whatever.bash</b>"]
        direction LR
        %% Source

        subgraph Source
            direction LR

            v0["<a href=https://github.com/howinator/dotfiles/blob/5a31c0ece1fbadf712f723734aeead9f77e64336/whatever.bash#L7 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 7] $(curl -L https://raw.githubusercontent.com/something)</a>"]
        end
        %% Intermediate

        subgraph Traces0[Traces]
            direction TB

            v2["<a href=https://github.com/howinator/dotfiles/blob/5a31c0ece1fbadf712f723734aeead9f77e64336/whatever.bash#L7 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 7] x</a>"]
        end
        %% Sink

        subgraph Sink
            direction LR

            v1["<a href=https://github.com/howinator/dotfiles/blob/5a31c0ece1fbadf712f723734aeead9f77e64336/whatever.bash#L9 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 9] eval ${x}</a>"]
        end
    end
    %% Class Assignment
    Source:::invis
    Sink:::invis

    Traces0:::invis
    File0:::invis

    %% Connections

    Source --> Traces0
    Traces0 --> Sink
Loading

💬 Reply with /semgrep ignore <reason> or triage in Semgrep AppSec Platform to ignore the finding created by curl-eval.

@howinator howinator force-pushed the main branch 2 times, most recently from 17f0274 to 63e7d15 Compare November 25, 2024 00:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@detail-semgrep-dev-test-app detail-semgrep-dev-test-app[bot] detail-semgrep-dev-test-app[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@howinator