Findings
High
Finding 25988: Improper Neutralization of Special Elements Used in an OS Command ('OS Command Injection')
| Severity |
Status |
Date discovered |
Age |
Reporter |
CWE |
|
High
|
Active, Verified |
Sept. 16, 2024 |
0 days |
Infra Admin (infrasec_nunet) |
78
|
CVSS v3
None
Description
Scanner: Semgrep
OS command injection is a critical vulnerability that can lead to a full system
compromise as it may allow an adversary to pass in arbitrary commands or arguments
to be executed.
User input should never be used in constructing commands or command arguments
to functions which execute OS commands. This includes filenames supplied by
user uploads or downloads.
Ensure your application does not:
- Use user-supplied information in the process name to execute.
- Use user-supplied information in an OS command execution function which does
not escape shell meta-characters.
- Use user-supplied information in arguments to OS commands.
The application should have a hardcoded set of arguments that are to be passed
to OS commands. If filenames are being passed to these functions, it is
recommended that a hash of the filename be used instead, or some other unique
identifier. It is strongly recommended that a native library that implements
the same functionality be used instead of using OS system commands, due to the
risk of unknown attacks against third party commands.
If operating in Windows environments, when specifying the OS command, ensure
the application uses the full path
information, otherwise the OS may attempt to look up which process to execute
and could be vulnerable to untrusted search path vulnerabilities (CWE-426).
Example of safely executing an OS command:
```
userData := []byte("user data")
// create a temporary file in the application specific directory
f, err := ioutil.TempFile("/var/app/restricted", "temp-*.dat")
if err != nil {
log.Fatal(err)
}
if _, err := f.Write(userData); err != nil {
log.Fatal(err)
}
if err := f.Close(); err != nil {
log.Fatal(err)
}
// pass the full path to the binary and the name of the temporary file
// instead of any user supplied filename
out, err := exec.Command("/bin/cat", f.Name()).Output()
if err != nil {
log.Fatal(err)
}
```
For more information on OS command injection, see OWASP's guide:
https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html
Mitigation
Impact
None
References
Identifier type: semgrep_id
Name: gosec.G204-1
Value: gosec.G204-1
Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021
Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017
Identifier type: gosec_rule_id
Name: Gosec Rule ID G204
Value: G204
Finding 25989: Improper Neutralization of Special Elements Used in an OS Command ('OS Command Injection')
| Severity |
Status |
Date discovered |
Age |
Reporter |
CWE |
|
High
|
Active, Verified |
Sept. 16, 2024 |
0 days |
Infra Admin (infrasec_nunet) |
78
|
Location
| File Path |
| lib/did/ledger.go |
CVSS v3
None
Description
Scanner: Semgrep
OS command injection is a critical vulnerability that can lead to a full system
compromise as it may allow an adversary to pass in arbitrary commands or arguments
to be executed.
User input should never be used in constructing commands or command arguments
to functions which execute OS commands. This includes filenames supplied by
user uploads or downloads.
Ensure your application does not:
- Use user-supplied information in the process name to execute.
- Use user-supplied information in an OS command execution function which does
not escape shell meta-characters.
- Use user-supplied information in arguments to OS commands.
The application should have a hardcoded set of arguments that are to be passed
to OS commands. If filenames are being passed to these functions, it is
recommended that a hash of the filename be used instead, or some other unique
identifier. It is strongly recommended that a native library that implements
the same functionality be used instead of using OS system commands, due to the
risk of unknown attacks against third party commands.
If operating in Windows environments, when specifying the OS command, ensure
the application uses the full path
information, otherwise the OS may attempt to look up which process to execute
and could be vulnerable to untrusted search path vulnerabilities (CWE-426).
Example of safely executing an OS command:
```
userData := []byte("user data")
// create a temporary file in the application specific directory
f, err := ioutil.TempFile("/var/app/restricted", "temp-*.dat")
if err != nil {
log.Fatal(err)
}
if _, err := f.Write(userData); err != nil {
log.Fatal(err)
}
if err := f.Close(); err != nil {
log.Fatal(err)
}
// pass the full path to the binary and the name of the temporary file
// instead of any user supplied filename
out, err := exec.Command("/bin/cat", f.Name()).Output()
if err != nil {
log.Fatal(err)
}
```
For more information on OS command injection, see OWASP's guide:
https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html
Mitigation
Impact
None
References
Identifier type: semgrep_id
Name: gosec.G204-1
Value: gosec.G204-1
Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021
Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017
Identifier type: gosec_rule_id
Name: Gosec Rule ID G204
Value: G204
Medium
Finding 25990: Incorrect Permission Assignment for Critical Resource
| Severity |
Status |
Date discovered |
Age |
Reporter |
CWE |
|
Medium
|
Active, Verified |
Sept. 16, 2024 |
0 days |
Infra Admin (infrasec_nunet) |
732
|
CVSS v3
None
Description
Scanner: Semgrep
The application was found setting directory permissions to overly permissive values. Consider
using the following values if the application user is the only process to access
files in the directory specified:
- 0700 - read/write access to the files in the directory
Another common value is `0750` which allows the application user read/write access and group
users to read the files contained in the directory.
Example creating a directory with read/write permissions for only the application user:
```
err := os.Mkdir("directory", 0700)
if err != nil {
log.Fatal(err)
}
```
For all other values please see:
https://en.wikipedia.org/wiki/File-system_permissions#Numeric_notation
Mitigation
Impact
None
References
Identifier type: semgrep_id
Name: gosec.G301-1
Value: gosec.G301-1
Identifier type: owasp
Name: A01:2021 - Broken Access Control
Value: A01:2021
Identifier type: owasp
Name: A5:2017 - Broken Access Control
Value: A5:2017
Identifier type: gosec_rule_id
Name: Gosec Rule ID G301
Value: G301
Finding 25991: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
| Severity |
Status |
Date discovered |
Age |
Reporter |
CWE |
|
Medium
|
Active, Verified |
Sept. 16, 2024 |
0 days |
Infra Admin (infrasec_nunet) |
22
|
CVSS v3
None
Description
Scanner: Semgrep
The application dynamically constructs file or path information. If the path
information comes from user input, it could be abused to read sensitive files,
access other users data or aid in exploitation to gain further system access.
User input should never be used in constructing paths or files for interacting
with the filesystem. This includes filenames supplied by user uploads or downloads.
If possible, consider hashing user input or replacing it with unique values.
Additionally, use `filepath.Base` to only use the filename and not path information.
Always validate the full path prior to opening or writing to any file.
Example using `filepath.Base`, generating a unique filename without using
user input to construct filepath information:
```
type userData struct {
id string
userFilename string
}
func newUserData(userFilename string) userData {
return userData{
id: randomFileID(), // random id as the filename
userFilename: userFilename,
}
}
// randomFileID generates a random id, to be used as a filename
func randomFileID() string {
id := make([]byte, 16)
if _, err := io.ReadFull(rand.Reader, id); err != nil {
log.Fatal(err)
}
return hex.EncodeToString(id)
}
func main() {
// user input, saved only as a reference
data := newUserData("../../possibly/malicious")
// restrict all file access to this path
const basePath = "/tmp/"
// resolve the full path, but only use our random generated id
resolvedPath, err := filepath.Join(basePath, filepath.Base(data.id))
if err != nil {
log.Fatal(err)
}
// verify the path is prefixed with our basePath
if !strings.HasPrefix(resolvedPath, basePath) {
log.Fatal("path does not start with basePath")
}
// process / work with file
}
```
For more information on path traversal issues see OWASP:
https://owasp.org/www-community/attacks/Path_Traversal
Mitigation
Impact
None
References
Identifier type: semgrep_id
Name: gosec.G304-1
Value: gosec.G304-1
Identifier type: owasp
Name: A01:2021 - Broken Access Control
Value: A01:2021
Identifier type: owasp
Name: A5:2017 - Broken Access Control
Value: A5:2017
Identifier type: gosec_rule_id
Name: Gosec Rule ID G304
Value: G304
Finding 25992: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
| Severity |
Status |
Date discovered |
Age |
Reporter |
CWE |
|
Medium
|
Active, Verified |
Sept. 16, 2024 |
0 days |
Infra Admin (infrasec_nunet) |
22
|
Location
| File Path |
| cmd/cap/util.go |
CVSS v3
None
Description
Scanner: Semgrep
The application dynamically constructs file or path information. If the path
information comes from user input, it could be abused to read sensitive files,
access other users data or aid in exploitation to gain further system access.
User input should never be used in constructing paths or files for interacting
with the filesystem. This includes filenames supplied by user uploads or downloads.
If possible, consider hashing user input or replacing it with unique values.
Additionally, use `filepath.Base` to only use the filename and not path information.
Always validate the full path prior to opening or writing to any file.
Example using `filepath.Base`, generating a unique filename without using
user input to construct filepath information:
```
type userData struct {
id string
userFilename string
}
func newUserData(userFilename string) userData {
return userData{
id: randomFileID(), // random id as the filename
userFilename: userFilename,
}
}
// randomFileID generates a random id, to be used as a filename
func randomFileID() string {
id := make([]byte, 16)
if _, err := io.ReadFull(rand.Reader, id); err != nil {
log.Fatal(err)
}
return hex.EncodeToString(id)
}
func main() {
// user input, saved only as a reference
data := newUserData("../../possibly/malicious")
// restrict all file access to this path
const basePath = "/tmp/"
// resolve the full path, but only use our random generated id
resolvedPath, err := filepath.Join(basePath, filepath.Base(data.id))
if err != nil {
log.Fatal(err)
}
// verify the path is prefixed with our basePath
if !strings.HasPrefix(resolvedPath, basePath) {
log.Fatal("path does not start with basePath")
}
// process / work with file
}
```
For more information on path traversal issues see OWASP:
https://owasp.org/www-community/attacks/Path_Traversal
Mitigation
Impact
None
References
Identifier type: semgrep_id
Name: gosec.G304-1
Value: gosec.G304-1
Identifier type: owasp
Name: A01:2021 - Broken Access Control
Value: A01:2021
Identifier type: owasp
Name: A5:2017 - Broken Access Control
Value: A5:2017
Identifier type: gosec_rule_id
Name: Gosec Rule ID G304
Value: G304