1- < p > When executing an OS command and unless you specify the full path to the executable, then the locations in your application’s < code > PATH</ code >
2- environment variable will be searched for the executable. That search could leave an opening for an attacker if one of the elements in
3- < code > PATH</ code > is a directory under his control.</ p >
1+ < p > When you run an OS command, it is always important to protect yourself against the risk of accidental or malicious replacement of the executables
2+ in the production system.</ p >
3+ < p > To do so, it is important to point to the specific executable that should be used.</ p >
4+ < p > For example, if you call < code > git</ code > (without specifying a path), the operating system will search for the executable in the directories
5+ specified in the < code > PATH</ code > environment variable.< br > An attacker could have added, in a permissive directory covered by < code > PATH</ code > ,
6+ another executable called < code > git</ code > , but with a completely different behavior, for example exfiltrating data or exploiting a vulnerability in
7+ your own code.</ p >
8+ < p > However, by calling < code > /usr/bin/git</ code > or < code > ../git</ code > (relative path) directly, the operating system will always use the intended
9+ executable.< br > Note that you still need to make sure that the executable is not world-writeable and potentially overwritten. This is not the scope of
10+ this rule.</ p >
411< h2 > Ask Yourself Whether</ h2 >
512< ul >
6- < li > The directories in the PATH environment variable may be defined by not trusted entities . </ li >
13+ < li > The PATH environment variable only contains fixed, trusted directories . </ li >
714</ ul >
8- < p > There is a risk if you answered yes to this question.</ p >
15+ < p > There is a risk if you answered no to this question.</ p >
916< h2 > Recommended Secure Coding Practices</ h2 >
10- < p > Fully qualified/absolute path should be used to specify the OS command to execute.</ p >
17+ < p > If you wish to rely on the < code > PATH</ code > environment variable to locate the OS command, make sure that each of its listed directories is fixed,
18+ not susceptible to change, and not writable by unprivileged users.</ p >
19+ < p > If you determine that these folders cannot be altered, and that you are sure that the program you intended to use will be used, then you can
20+ determine that these risks are under your control.</ p >
21+ < p > A good practice you can use is to also hardcode the < code > PATH</ code > variable you want to use, if you can do so in the framework you use.</ p >
22+ < p > If the previous recommendations cannot be followed due to their complexity or other requirements, then consider using the absolute path of the
23+ command instead.</ p >
24+ < pre >
25+ $ whereis git
26+ git: /usr/bin/git /usr/share/man/man1/git.1.gz
27+ $ ls -l /usr/bin/git
28+ -rwxr-xr-x 1 root root 3376112 Jan 28 10:13 /usr/bin/git
29+ </ pre >
1130< h2 > Sensitive Code Example</ h2 >
1231< p > The full path of the command is not specified and thus the executable will be searched in all directories listed in the < code > PATH</ code >
1332environment variable:</ p >
@@ -21,16 +40,16 @@ <h2>Sensitive Code Example</h2>
2140< h2 > Compliant Solution</ h2 >
2241< p > The command is defined by its full path:</ p >
2342< pre >
24- Runtime.getRuntime().exec("/usr/bin/make"); // Compliant
25- Runtime.getRuntime().exec(new String[]{"~/bin/make"}); // Compliant
43+ Runtime.getRuntime().exec("/usr/bin/make");
44+ Runtime.getRuntime().exec(new String[]{"~/bin/make"});
2645
27- ProcessBuilder builder = new ProcessBuilder("./bin/make"); // Compliant
28- builder.command("../bin/make"); // Compliant
29- builder.command(Arrays.asList("..\bin\make", "-j8")); // Compliant
46+ ProcessBuilder builder = new ProcessBuilder("./bin/make");
47+ builder.command("../bin/make");
48+ builder.command(Arrays.asList("..\bin\make", "-j8"));
3049
31- builder = new ProcessBuilder(Arrays.asList(".\make")); // Compliant
32- builder.command(Arrays.asList("C:\bin\make", "-j8")); // Compliant
33- builder.command(Arrays.asList("\\SERVER\bin\make")); // Compliant
50+ builder = new ProcessBuilder(Arrays.asList(".\make"));
51+ builder.command(Arrays.asList("C:\bin\make", "-j8"));
52+ builder.command(Arrays.asList("\\SERVER\bin\make"));
3453</ pre >
3554< h2 > See</ h2 >
3655< ul >
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments