Skip to content

Commit 7a5a03d

Browse files
NordCoderdNordCoderd
committed
2.0.16 Fixed issue with false positive during curl to bash analysis
1 parent 87546af commit 7a5a03d

8 files changed

Lines changed: 54 additions & 20 deletions

File tree

.idea/AndroidProjectSystem.xml

Lines changed: 6 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

.idea/go.imports.xml

Lines changed: 11 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

.idea/misc.xml

Lines changed: 0 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

CHANGELOG.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,13 @@
22

33
# Cloud (IaC) Security Changelog
44

5+
## [2.0.16] 07-02-2026
6+
7+
### Fixed
8+
- Fixed an [issue](https://github.com/NordCoderd/cloud-security-plugin/issues/4) with false positive during curl to bash analysis.
9+
10+
Thanks to [@avbasov](https://github.com/avbasov) for reporting it.
11+
512
## [2.0.15] 16-12-2025
613

714
### Fixed

gradle.properties

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
pluginGroup = dev.protsenko.securityLinter
22
pluginName = Cloud (IaC) Security
33
pluginRepositoryUrl = https://github.com/NordCoderd/cloud-security-plugin
4-
pluginVersion = 2.0.15
4+
pluginVersion = 2.0.16
55

66
# Supported build number ranges and IntelliJ Platform versions -> https://plugins.jetbrains.com/docs/intellij/build-number-ranges.html
77
pluginSinceBuild = 231

src/main/kotlin/dev/protsenko/securityLinter/docker/checker/CurlBashingValidator.kt

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,8 @@ package dev.protsenko.securityLinter.docker.checker
33
import dev.protsenko.securityLinter.docker.checker.core.RunCommandValidator
44

55
object CurlBashingValidator : RunCommandValidator {
6-
val curlBashingRegex = Regex("RUN.*(curl|wget)[^|^>]*[|>]")
6+
val curlBashingRegex =
7+
Regex("""RUN\s+(?s:.*)(curl|wget)\s+(?s:.*)[|>]+\s*(bash|sh|zsh|ksh|tcsh|csh|dash|ash)\b""", RegexOption.IGNORE_CASE)
78

89
override fun isValid(command: String): Boolean = !curlBashingRegex.containsMatchIn(command)
910
}

src/test/kotlin/dev/protsenko/securityLinter/utils/CurlBashingCheckerTest.kt

Lines changed: 25 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -4,33 +4,43 @@ import dev.protsenko.securityLinter.docker.checker.CurlBashingValidator
44
import junit.framework.TestCase
55

66
class CurlBashingCheckerTest : TestCase() {
7-
87
fun testInvalidCommands() {
9-
val commands = listOf(
10-
"RUN curl -s https://example.com | bash",
11-
"RUN wget -q https://example.com \n| bash",
12-
"RUN curl -o- https://example.com \\n> bash",
13-
"RUN wget https://example.com \\\n| sh"
14-
)
8+
val commands =
9+
listOf(
10+
"RUN curl -s https://example.com | bash",
11+
"RUN wget -q https://example.com \n| bash",
12+
"RUN curl -o- https://example.com \\n> bash",
13+
"RUN wget https://example.com \\\n| sh",
14+
)
1515
for (command in commands) {
1616
assertFalse(
1717
"Command '$command' should be invalid for curl bashing",
18-
CurlBashingValidator.isValid(command)
18+
CurlBashingValidator.isValid(command),
1919
)
2020
}
2121
}
2222

2323
fun testValidCommands() {
24-
val commands = listOf(
25-
"RUN echo Hello World",
26-
"RUN curl -s https://example.com",
27-
"RUN wget -q https://example.com",
28-
"RUN echo 'Some command' | bash"
29-
)
24+
val commands =
25+
listOf(
26+
"RUN echo Hello World",
27+
"RUN curl -s https://example.com",
28+
"RUN wget -q https://example.com",
29+
"RUN echo 'Some command' | bash",
30+
"""
31+
RUN curl -L "https://github.com/go-task/task/releases/download/${'$'}{TASK_VERSION}/task_${'$'}{TARGETOS}_${'$'}{TARGETARCH}.tar.gz" -o "/tmp/task_${'$'}{TARGETOS}_${'$'}{TARGETARCH}.tar.gz" \
32+
&& curl -L "https://github.com/go-task/task/releases/download/${'$'}{TASK_VERSION}/task_checksums.txt" -o "/tmp/task_checksums.txt" \
33+
&& cd /tmp && grep "task_${'$'}{TARGETOS}_${'$'}{TARGETARCH}.tar.gz" task_checksums.txt | sha256sum -c - \
34+
&& tar -C /opt -xzf "/tmp/task_${'$'}{TARGETOS}_${'$'}{TARGETARCH}.tar.gz" task
35+
""".trimIndent(),
36+
"RUN curl -s https://example.com > /dev/null",
37+
"RUN wget -O /tmp/file https://example.com",
38+
"RUN curl -s https://example.com | grep foo",
39+
)
3040
for (command in commands) {
3141
assertTrue(
3242
"Command '$command' should be valid for curl bashing",
33-
CurlBashingValidator.isValid(command)
43+
CurlBashingValidator.isValid(command),
3444
)
3545
}
3646
}

src/test/testData/docker/DS013/Dockerfile.denied

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,8 +4,8 @@ Avoid using both 'wget' and 'curl' since these tools have the same effect.">RUN
44

55
FROM baseimage:1.0
66
USER mike
7-
<error descr="Curl bashing detected
8-
Avoid using curl or wget with pipe (|) or redirection (>) to directly execute scripts from untrusted sources.">RUN curl http://bing.com]> but was:<[FROM debian:stable-20210621</error>
7+
<warning descr="RUN using 'wget' and 'curl'
8+
Avoid using both 'wget' and 'curl' since these tools have the same effect.">RUN curl http://bing.com]> but was:<[FROM debian:stable-20210621</warning>
99

1010
FROM baseimage:1.0
1111
USER mike

0 commit comments

Comments
 (0)