Merge branch 'secure-coding-os-command-injection' into 'master'

Add OS command injection into secure coding guidelines documentation See merge request gitlab-org/gitlab!43288

Merge branch 'secure-coding-os-command-injection' into 'master'
Add OS command injection into secure coding guidelines documentation See merge request gitlab-org/gitlab!43288
9682ce9e · Nick Gaskill · 9b24e58e · 99dada18 · 9682ce9e
Commit 9682ce9e authored Oct 21, 2020 by Nick Gaskill
Hide whitespace changes
Inline Side-by-side

Showing with 73 additions and 0 deletions

doc/development/secure_coding_guidelines.md doc/development/secure_coding_guidelines.md +73 -0

No files found.
--- a/doc/development/secure_coding_guidelines.md
+++ b/doc/development/secure_coding_guidelines.md
@@ -431,3 +431,76 @@ requires :file_path, type: String, file_path: true
 NOTE: **Note:**
 Absolute paths are not allowed by default. If allowing an absolute path is required, you
 need to provide an array of paths to the parameter `allowlist`.  
+
+## OS command injection guidelines
+
+Command injection is an issue in which an attacker is able to execute arbitrary commands on the host
+operating system through a vulnerable application. Such attacks don't always provide feedback to a
+user, but the attacker can use simple commands like `curl` to obtain an answer.
+
+### Impact
+
+The impact of command injection greatly depends on the user context running the commands, as well as
+how data is validated and sanitized. It can vary from low impact because the user running the
+injected commands has limited rights, to critical impact if running as the root user.
+
+Potential impacts include:
+
+- Execution of arbitrary commands on the host machine.
+- Unauthorized access to sensitive data, including passwords and tokens in secrets or configuration
+  files.
+- Exposure of sensitive system files on the host machine, such as `/etc/passwd/` or `/etc/shadow`.
+- Compromise of related systems and services gained through access to the host machine.
+
+You should be aware of and take steps to prevent command injection when working with user-controlled
+data that are used to run OS commands.
+
+### Mitigation and prevention
+
+To prevent OS command injections, user-supplied data shouldn't be used within OS commands. In cases
+where you can't avoid this:
+
+- Validate user-supplied data against an allowlist.
+- Ensure that user-supplied data only contains alphanumeric characters (and no syntax or whitespace
+  characters, for example).
+- Always use `--` to separate options from arguments.
+
+### Ruby
+
+Consider using `system("command", "arg0", "arg1", ...)` whenever you can. This prevents an attacker
+from concatenating commands.
+
+For more examples on how to use shell commands securely, consult
+[Guidelines for shell commands in the GitLab codebase](shell_commands.md).
+It contains various examples on how to securely call OS commands.
+
+### Go
+
+Go has built-in protections that usually prevent an attacker from successfully injecting OS commands.
+
+Consider the following example:
+
+```golang
+package main
+
+import (
+  "fmt"
+  "os/exec"
+)
+
+func main() {
+  cmd := exec.Command("echo", "1; cat /etc/passwd")
+  out, _ := cmd.Output()
+  fmt.Printf("%s", out)
+}
+```
+
+This echoes `"1; cat /etc/passwd"`.
+
+**Do not** use `sh`, as it bypasses internal protections:
+
+```golang
+out, _ = exec.Command("sh", "-c", "echo 1 | cat /etc/passwd").Output()
+```
+
+This outputs `1` followed by the content of `/etc/passwd`.