Ensure run commands are not vulnerable to shell injection
Description
This policy checks whether CircleCI pipeline run commands are vulnerable to shell injection attacks. Shell injection occurs when an attacker is able to inject malicious commands into a system, potentially allowing them to execute arbitrary code. This is particularly dangerous in a CI/CD pipeline, where an attacker could exploit this vulnerability to access sensitive data or disrupt the development process. It's essential to ensure that run commands are properly sanitized to prevent such attacks.
Code Example
yaml
version: 2.1
jobs:
build-and-test:
docker:
- image: circleci/python:3.9
steps:
- run: |
# Use parameterized commands or avoid using user-input data
echo 'Hello World'Remediation
Ensure run commands do not contain user-input data or are properly sanitized to prevent shell injection attacks.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0827 |
| Severity | HIGH |
| IaC Type | circleci_pipelines |
| Frameworks | jobs.*.steps[] |
| Checkov ID | CKV_CIRCLECIPIPELINES_6 |