As an engineer, I want to be warned early when my application code is trying to shell out for things that libraries already provide, such as:
curl/wget (Can probably use a URL request)sed/awk/gawk/nawk (Can just use a regular expression)jq (Can use a JSON marshaller)
This rule would encourage more performant applications, remove dependencies on unnecessary software components, reduce attack surfaces, and increase cross-platform support, by avoiding relying on platform-specific shell command syntax.
Example triggers:
- Supplying a process object with a launch path ending with
curl, wget, sed, awk, jq, jq.exe, etc.
Example non-triggers:
- Supplying a process object with an argument of
curl, wget, sed, awk, jq, jq.exe, etc. While there are plenty of cases where these would constitute unnecessary shell commands, such as /usr/bin/env curl... or exec wget..., the false positives for such commands are unfortunately more numerous than the true positives.
This rule should contain a limited number of common shell commands, such as those listed above. We can add more over time. Configuration for this rule should be able to customize which of these command patterns is relevant to the user's application needs.
As a security concern, this rule can reasonably become a default rule, as shelling out introduces additional security risks, including shell injections, compared to sticking to pure library code.
I would be happy to see this rule be included in bandit's available suite of checks, and if we find we're happy to apply it in a lot of places, then we can always turn it on by default later.
As an engineer, I want to be warned early when my application code is trying to shell out for things that libraries already provide, such as:
curl/wget(Can probably use a URL request)sed/awk/gawk/nawk(Can just use a regular expression)jq(Can use a JSON marshaller)This rule would encourage more performant applications, remove dependencies on unnecessary software components, reduce attack surfaces, and increase cross-platform support, by avoiding relying on platform-specific shell command syntax.
Example triggers:
curl,wget,sed,awk,jq,jq.exe, etc.Example non-triggers:
curl,wget,sed,awk,jq,jq.exe, etc. While there are plenty of cases where these would constitute unnecessary shell commands, such as/usr/bin/env curl... orexec wget..., the false positives for such commands are unfortunately more numerous than the true positives.This rule should contain a limited number of common shell commands, such as those listed above. We can add more over time. Configuration for this rule should be able to customize which of these command patterns is relevant to the user's application needs.
As a security concern, this rule can reasonably become a default rule, as shelling out introduces additional security risks, including shell injections, compared to sticking to pure library code.
I would be happy to see this rule be included in bandit's available suite of checks, and if we find we're happy to apply it in a lot of places, then we can always turn it on by default later.