Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Once triggered, dangerous-subprocess-use-tainted-env-args cannot be addressed #3485

Closed
1 of 3 tasks
pulkin opened this issue Oct 8, 2024 · 2 comments · Fixed by #3487
Closed
1 of 3 tasks

Once triggered, dangerous-subprocess-use-tainted-env-args cannot be addressed #3485

pulkin opened this issue Oct 8, 2024 · 2 comments · Fixed by #3487
Assignees
@0xDC0DE
Labels
bug Something isn't working

Comments

@pulkin
Copy link

pulkin commented Oct 8, 2024

Describe the bug

The subject rule can be triggered in some valid circumstances. But the suggested recipe is misleading or does not work at all.

  1. The rule description mentioning using 'shlex.escape()' is wrong because shlex.escape is not a function (I suggest to replace it with shlex.quote()).
  2. Using shlex.quote is not accepted by the rule. As a result, I ended up ignoring it. I am not sure if currently there is any reasonable way to address the rule once triggered.

To Reproduce

Try adding shlex.quote to the rule test cases and observe nothing changed in the static analysis report.

Expected behavior

The recipe to fix the triggering rule in the rule description works in practice.

Priority
How important is this to you?

  • P0: blocking me from making progress
  • P1: this will block me in the near future
  • P2: annoying but not blocking me
@pulkin pulkin added the bug Something isn't working label Oct 8, 2024
@0xDC0DE 0xDC0DE self-assigned this Oct 14, 2024
@0xDC0DE 0xDC0DE mentioned this issue Oct 14, 2024
Merged
@0xDC0DE
Copy link
Contributor

0xDC0DE commented Oct 14, 2024

Thanks for reporting this, @pulkin. I'm making the necessary updates like you suggested.

@pulkin
Copy link
Author

pulkin commented Oct 16, 2024

Thanks for fixing this! Is this something that is immediately available when I run semgrep or it has to undergo some release process?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@0xDC0DE 0xDC0DE

Labels
bug Something isn't working
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

add sanitizer and update message of dangerous subprocess rule semgrep/semgrep-rules
2 participants
@0xDC0DE @pulkin