mcp-server-semgrep/semgrep-rules/python/aws-lambda/security/dangerous-system-call.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: dangerous-system-call
  mode: taint
  message: >-
    Detected `os` function with argument tainted by `event` object.
    This is dangerous if external data can reach this function call because it allows a malicious
    actor to execute commands. Use the 'subprocess' module instead, which is
    easier to use without accidentally exposing a command injection
    vulnerability.
  metadata:
    source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html
    cwe:
    - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
    owasp:
    - A01:2017 - Injection
    - A03:2021 - Injection
    asvs:
      section: 'V5: Validation, Sanitization and Encoding Verification Requirements'
      control_id: 5.2.4 Dyanmic Code Execution Features
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements
      version: '4'
    category: security
    technology:
    - python
    references:
    - https://owasp.org/Top10/A03_2021-Injection
    cwe2022-top25: true
    cwe2021-top25: true
    subcategory:
    - vuln
    likelihood: HIGH
    impact: MEDIUM
    confidence: MEDIUM
  languages:
  - python
  severity: ERROR
  pattern-sources:
  - patterns:
    - pattern: event
    - pattern-inside: |
        def $HANDLER(event, context):
          ...
  pattern-sinks:
  - patterns:
    - focus-metavariable: $CMD
    - pattern-either:
      - pattern: os.system($CMD,...)
      - pattern: os.popen($CMD,...)
      - pattern: os.popen2($CMD,...)
      - pattern: os.popen3($CMD,...)
      - pattern: os.popen4($CMD,...)