Do not inject data into shell code strings (sh -c)

이 제품은 선택한 Datadog 사이트에서 지원되지 않습니다. ().
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: bash-security/dont-inject-data-into-shell-code-strings

Language: Bash

Severity: Error

Category: Security

CWE: 78

Description

The script argument to sh -c is run by a new shell. If that argument is double-quoted and contains parameter expansion ($var, ${var}), the outer shell substitutes values into the string before the inner shell parses it, which can turn filenames or other input into command injection (CWE-78).

Prefer passing data as operands after the script (e.g. sh -c 'cmd "$1"' _ "$path") or a single-quoted script so the outer shell does not expand into the -c text.

Non-Compliant Code Examples

#!/bin/bash
sh -c "rm $file"
/bin/sh -c "touch ${path}"
sh -c "install $pkg in /opt"
bash -c "run $cmd"
/usr/bin/zsh -c "cp ${src} dest"

Compliant Code Examples

#!/bin/bash
sh -c 'echo hello'
sh -c "echo hello"
sh -c 'rm -- "$1"' _ "$filepath"
sh -c "$(curl -fsSL https://example.com/install.sh)"
sh -c "wc $(cat list.txt)"
sh -c "$(curl -fsSL https://raw.githubusercontent.com/robbyrussell/oh-my-zsh/master/tools/install.sh)"
bash -c 'echo $1' _ "$safe"
zsh -c "echo ok"
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

원활한 통합. Datadog Code Security를 경험해 보세요

Datadog Code Security