From fe5f6603c6cffd7cb58c44062c5fb309b97776b2 Mon Sep 17 00:00:00 2001 From: Mike Shirley Date: Wed, 24 Jan 2024 09:38:30 -0600 Subject: [PATCH 1/3] Add test case to tar-insecure-flags.sh There are edge cases wherein the unbounded ellipsis in the rule set will unintentionally wrap across multiple lines and match on a flag in a completely different command. This test case illustrates one such condition. --- generic/tar-insecure-flags.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/generic/tar-insecure-flags.sh b/generic/tar-insecure-flags.sh index 74972fe..686ae39 100644 --- a/generic/tar-insecure-flags.sh +++ b/generic/tar-insecure-flags.sh @@ -11,3 +11,9 @@ tar -xvf --Psomeotherflag archive.tar # ok: tar-insecure-flags tar -xvf archive.tar + +# Unbounded ellipsis span in pattern wraps to next command in some scenarios +wget https://git.kernel.org/torvalds/t/linux-6.8-rc1.tar.gz -O - | tar -xz -C / && mv linux-6.8-rc1 linux + +# This shouldn't match, but the ellipsis wrap picks up the p flag in this command and associates it with the previous command +wget https://github.com/trailofbits/semgrep-rules -P /ToB/ From b8e2c7b05a0bb988f1ba240420b992468269583b Mon Sep 17 00:00:00 2001 From: Mike Shirley Date: Wed, 24 Jan 2024 09:40:50 -0600 Subject: [PATCH 2/3] Add span boundary for ellipsis patterns This prevents multiline span matching across different commands in some edge cases. --- generic/tar-insecure-flags.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/generic/tar-insecure-flags.yaml b/generic/tar-insecure-flags.yaml index 03618ce..d5ab70a 100644 --- a/generic/tar-insecure-flags.yaml +++ b/generic/tar-insecure-flags.yaml @@ -13,6 +13,8 @@ rules: impact: HIGH references: - https://man7.org/linux/man-pages/man1/tar.1.html + options: + generic_ellipsis_max_span: 0 pattern-either: # A space character was left at the end of some patterns to help ensure # that the intended flag was used, and minimize the chance that another, From 64457d379e459ed1e59ca00ffc753849da0ff0d7 Mon Sep 17 00:00:00 2001 From: Mike Shirley Date: Tue, 6 Feb 2024 10:30:56 -0600 Subject: [PATCH 3/3] Update generic/tar-insecure-flags.sh Co-authored-by: mschwager --- generic/tar-insecure-flags.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/generic/tar-insecure-flags.sh b/generic/tar-insecure-flags.sh index 686ae39..9f42f69 100644 --- a/generic/tar-insecure-flags.sh +++ b/generic/tar-insecure-flags.sh @@ -13,6 +13,7 @@ tar -xvf --Psomeotherflag archive.tar tar -xvf archive.tar # Unbounded ellipsis span in pattern wraps to next command in some scenarios +# ok: tar-insecure-flags wget https://git.kernel.org/torvalds/t/linux-6.8-rc1.tar.gz -O - | tar -xz -C / && mv linux-6.8-rc1 linux # This shouldn't match, but the ellipsis wrap picks up the p flag in this command and associates it with the previous command