plugins/semgrep: sanitize scan options to avoid shell injection

csutils · Mar 21, 2024 · 8c4dbfb · 8c4dbfb
1 parent 370463a
commit 8c4dbfb
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/py/plugins/semgrep.py b/py/plugins/semgrep.py
@@ -20,6 +20,9 @@
 """
 import os
 
+from csmock.common.util import sanitize_opts_arg
+
+
 # disable metrics to be sent to semgrep cloud
 DEFAULT_SEMGREP_SEND_METRICS = "off"
 
@@ -96,6 +99,9 @@ def handle_args(self, parser, args, props): # pylint: disable=too-many-statemen
  if not args.semgrep_rules_repo:
  parser.error("'--semgrep-rules-repo' is required to run semgrep scan")
 
+ # sanitize options passed to --semgrep-scan-opts to avoid shell injection
+ self.semgrep_scan_opts = sanitize_opts_arg(parser, args, "--semgrep-scan-opts")
+
  # install semgrep cli and download semgrep rules
  def prepare_semgrep_runtime_hook(results, props):
  # target dir where semgrep cli and its dependencies are installed
@@ -164,8 +170,8 @@ def scan_hook(results, mock, props): # pylint: disable=unused-argument
  semgrep_scan_cmd += " --verbose"
 
  # append additional options passed to the 'semgrep scan' command
- if args.semgrep_scan_opts:
- semgrep_scan_cmd += f" {args.semgrep_scan_opts}"
+ if self.semgrep_scan_opts:
+ semgrep_scan_cmd += f" {self.semgrep_scan_opts}"
 
  # eventually append the target directory to be scanned
  semgrep_scan_cmd += (