Skip to content

Commit

Permalink
plugins/semgrep: sanitize scan options to avoid shell injection
Browse files Browse the repository at this point in the history
  • Loading branch information
rhyw committed Mar 21, 2024
1 parent 4618775 commit 4014c4e
Showing 1 changed file with 8 additions and 2 deletions.
10 changes: 8 additions & 2 deletions py/plugins/semgrep.py
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@
"""
import os

from csmock.common.util import sanitize_opts_arg


# disable metrics to be sent to semgrep cloud
DEFAULT_SEMGREP_SEND_METRICS = "off"

Expand Down Expand Up @@ -96,6 +99,9 @@ def handle_args(self, parser, args, props): # pylint: disable=too-many-statemen
if not args.semgrep_rules_repo:
parser.error("'--semgrep-rules-repo' is required to run semgrep scan")

# sanitize options passed to --semgrep-scan-opts to avoid shell injection
self.semgrep_scan_opts = sanitize_opts_arg(parser, args, "--semgrep-scan-opts")

# install semgrep cli and download semgrep rules
def prepare_semgrep_runtime_hook(results, props):
# target dir where semgrep cli and its dependencies are installed
Expand Down Expand Up @@ -164,8 +170,8 @@ def scan_hook(results, mock, props): # pylint: disable=unused-argument
semgrep_scan_cmd += " --verbose"

# append additional options passed to the 'semgrep scan' command
if args.semgrep_scan_opts:
semgrep_scan_cmd += f" {args.semgrep_scan_opts}"
if self.semgrep_scan_opts:
semgrep_scan_cmd += f" {self.semgrep_scan_opts}"

# eventually append the target directory to be scanned
semgrep_scan_cmd += (
Expand Down

0 comments on commit 4014c4e

Please sign in to comment.