Skip to content

Commit bad change according to semgrep #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
howinator wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Commit bad change according to semgrep #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
02f5ec7
Commit bad change according to semgrep
howinator Aug 14, 2024
5a31c0e
bad rule
howinator Aug 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion .github/workflows/semgrep.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
name: Semgrep
on:
workflow_dispatch: {}
pull_request: {}
pull_request:
branches:
- main
push:
branches:
- main
Expand Down
26 changes: 26 additions & 0 deletions whatever.bash
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
foo=$(curl http://google.com)

echo "$foo"

#!/bin/bash

x=$(curl -L https://raw.githubusercontent.com/something)
# ruleid: curl-eval
eval ${x}
Copy link

@detail-semgrep-dev-test-app detail-semgrep-dev-test-app bot Aug 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Data is being eval'd from a curl command. An attacker with control of the server in the curl command could inject malicious code into the eval, resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.

View Dataflow Graph 
flowchart LR
    classDef invis fill:white, stroke: none
    classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none

    subgraph File0["<b>whatever.bash</b>"]
        direction LR
        %% Source

        subgraph Source
            direction LR

            v0["<a href=https://github.com/howinator/dotfiles/blob/5a31c0ece1fbadf712f723734aeead9f77e64336/whatever.bash#L7 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 7] $(curl -L https://raw.githubusercontent.com/something)</a>"]
        end
        %% Intermediate

        subgraph Traces0[Traces]
            direction TB

            v2["<a href=https://github.com/howinator/dotfiles/blob/5a31c0ece1fbadf712f723734aeead9f77e64336/whatever.bash#L7 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 7] x</a>"]
        end
        %% Sink

        subgraph Sink
            direction LR

            v1["<a href=https://github.com/howinator/dotfiles/blob/5a31c0ece1fbadf712f723734aeead9f77e64336/whatever.bash#L9 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 9] eval ${x}</a>"]
        end
    end
    %% Class Assignment
    Source:::invis
    Sink:::invis

    Traces0:::invis
    File0:::invis

    %% Connections

    Source --> Traces0
    Traces0 --> Sink
Loading

💬 Reply with /semgrep ignore <reason> or triage in Semgrep AppSec Platform to ignore the finding created by curl-eval.


yy=$(curl $SOME_URL)
eval yy
# ruleid: curl-eval
eval ${yy}
Copy link

@detail-semgrep-dev-test-app detail-semgrep-dev-test-app bot Aug 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Data is being eval'd from a curl command. An attacker with control of the server in the curl command could inject malicious code into the eval, resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.

View Dataflow Graph 
flowchart LR
    classDef invis fill:white, stroke: none
    classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none

    subgraph File0["<b>whatever.bash</b>"]
        direction LR
        %% Source

        subgraph Source
            direction LR

            v0["<a href=https://github.com/howinator/dotfiles/blob/5a31c0ece1fbadf712f723734aeead9f77e64336/whatever.bash#L11 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 11] $(curl $SOME_URL)</a>"]
        end
        %% Intermediate

        subgraph Traces0[Traces]
            direction TB

            v2["<a href=https://github.com/howinator/dotfiles/blob/5a31c0ece1fbadf712f723734aeead9f77e64336/whatever.bash#L11 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 11] yy</a>"]
        end
        %% Sink

        subgraph Sink
            direction LR

            v1["<a href=https://github.com/howinator/dotfiles/blob/5a31c0ece1fbadf712f723734aeead9f77e64336/whatever.bash#L14 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 14] eval ${yy}</a>"]
        end
    end
    %% Class Assignment
    Source:::invis
    Sink:::invis

    Traces0:::invis
    File0:::invis

    %% Connections

    Source --> Traces0
    Traces0 --> Sink
Loading

💬 Reply with /semgrep ignore <reason> or triage in Semgrep AppSec Platform to ignore the finding created by curl-eval.


scrpt=$(curl -L https://raw.githubusercontent.com/something)
echo scrpt
scrpt2=$(${scrpt} | tr -d 1)
# ruleid: curl-eval
eval ${scrpt2}
Copy link

@detail-semgrep-dev-test-app detail-semgrep-dev-test-app bot Aug 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Data is being eval'd from a curl command. An attacker with control of the server in the curl command could inject malicious code into the eval, resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.

View Dataflow Graph 
flowchart LR
    classDef invis fill:white, stroke: none
    classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none

    subgraph File0["<b>whatever.bash</b>"]
        direction LR
        %% Source

        subgraph Source
            direction LR

            v0["<a href=https://github.com/howinator/dotfiles/blob/5a31c0ece1fbadf712f723734aeead9f77e64336/whatever.bash#L16 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 16] $(curl -L https://raw.githubusercontent.com/something)</a>"]
        end
        %% Intermediate

        subgraph Traces0[Traces]
            direction TB

            v2["<a href=https://github.com/howinator/dotfiles/blob/5a31c0ece1fbadf712f723734aeead9f77e64336/whatever.bash#L16 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 16] scrpt</a>"]

            v3["<a href=https://github.com/howinator/dotfiles/blob/5a31c0ece1fbadf712f723734aeead9f77e64336/whatever.bash#L18 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 18] scrpt2</a>"]
        end
            v2 --> v3
        %% Sink

        subgraph Sink
            direction LR

            v1["<a href=https://github.com/howinator/dotfiles/blob/5a31c0ece1fbadf712f723734aeead9f77e64336/whatever.bash#L20 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 20] eval ${scrpt2}</a>"]
        end
    end
    %% Class Assignment
    Source:::invis
    Sink:::invis

    Traces0:::invis
    File0:::invis

    %% Connections

    Source --> Traces0
    Traces0 --> Sink
Loading

💬 Reply with /semgrep ignore <reason> or triage in Semgrep AppSec Platform to ignore the finding created by curl-eval.


# ruleid: curl-eval
eval $(curl -L https://raw.githubusercontent.com/something)
Copy link

@detail-semgrep-dev-test-app detail-semgrep-dev-test-app bot Aug 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Data is being eval'd from a curl command. An attacker with control of the server in the curl command could inject malicious code into the eval, resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.

View Dataflow Graph 
flowchart LR
    classDef invis fill:white, stroke: none
    classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none

    subgraph File0["<b>whatever.bash</b>"]
        direction LR
        %% Source

        subgraph Source
            direction LR

            v0["<a href=https://github.com/howinator/dotfiles/blob/5a31c0ece1fbadf712f723734aeead9f77e64336/whatever.bash#L23 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 23] $(curl -L https://raw.githubusercontent.com/something)</a>"]
        end
        %% Intermediate

        %% Sink

        subgraph Sink
            direction LR

            v1["<a href=https://github.com/howinator/dotfiles/blob/5a31c0ece1fbadf712f723734aeead9f77e64336/whatever.bash#L23 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 23] eval $(curl -L https://raw.githubusercontent.com/something)</a>"]
        end
    end
    %% Class Assignment
    Source:::invis
    Sink:::invis

    File0:::invis

    %% Connections

    Source --> Sink
Loading

💬 Reply with /semgrep ignore <reason> or triage in Semgrep AppSec Platform to ignore the finding created by curl-eval.


# ok: curl-eval
eval "x=1"