Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Regression] unquoted-command-substitution-in-command & unquoted-variable-expansion-in-command [BASH] causes semgrep CRASH #3449

Open
1 of 3 tasks
mjnowen opened this issue Aug 12, 2024 · 1 comment
Open
1 of 3 tasks

[Regression] unquoted-command-substitution-in-command & unquoted-variable-expansion-in-command [BASH] causes semgrep CRASH #3449

mjnowen opened this issue Aug 12, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@mjnowen
Copy link

mjnowen commented Aug 12, 2024
edited
Loading

Describe the bug
In semgrep release v1.58.0, the following 2 x BASH rules (using latest commit: 57cb8aa) fail with the following example line of bash script:

unquoted-command-substitution-in-command
unquoted-variable-expansion-in-command

docker run --interactive --tty --rm \
	--mount type=bind,source="$(pwd)",target=/code,readonly "${FOO}" .

In semgrep release v1.59.0 and onwards to v1.84.1 (latest at time of writing), semgrep crashes with this error message:

{"errors": [{"code": 2, "level": "warn", "message": "Other syntax error at line NO FILE INFO YET:-1:\n Invalid_argument: index out of bounds", "path": "NO FILE INFO YET", "type": "Other syntax error"}], "paths": {"scanned": []}, "results": [], "skipped_rules": [], "version": "1.59.0"}

To Reproduce
Code to reproduce this behavior:

# ubuntu 22.04
cd /usr/local

# latest commit of semgrep-rules
sudo git clone https://github.com/semgrep/semgrep-rules.git

sudo rm -r /usr/local/semgrep-rules/stats /usr/local/semgrep-rules/.github /usr/local/semgrep-rules/.pre-commit-config.yaml
sudo pip3 install --break-system-packages semgrep==1.58.0
semgrep --json --config=/usr/local/semgrep-rules --no-git-ignore --metrics=off --no-rewrite-rule-ids .
# it works

sudo pip3 install --break-system-packages semgrep==1.59.0
semgrep --json --config=/usr/local/semgrep-rules --no-git-ignore --metrics=off --no-rewrite-rule-ids .

# it crashes with this message:
{"errors": [{"code": 2, "level": "warn", "message": "Other syntax error at line NO FILE INFO YET:-1:\n Invalid_argument: index out of bounds", "path": "NO FILE INFO YET", "type": "Other syntax error"}], "paths": {"scanned": []}, "results": [], "skipped_rules": [], "version": "1.59.0"}

Expected behavior

  1. semgrep application should not crash due to a bad rule(s)!
  2. 2 x semgrep bash rules are generating false-positives against my example line of bash script as seen above.

Priority
How important is this to you?

  • P0: blocking me from making progress
  • P1: this will block me in the near future
  • P2: annoying but not blocking me

Additional Context
Add any other context about the problem here.
@mjnowen mjnowen added the bug Something isn't working label Aug 12, 2024
@mjnowen mjnowen mentioned this issue Aug 12, 2024
Open
2 tasks
@mjnowen
Copy link
Author

mjnowen commented Aug 12, 2024

Possibly related: semgrep/semgrep#10072

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mjnowen