bashrs 6.66.0

Rust-to-Shell transpiler for deterministic bootstrap scripts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323

//! SEC003: Command Injection via find -exec with sh -c
//!
//! **Rule**: Detect `{}` embedded in shell command strings within `find -exec sh -c`
//!
//! **Why this matters**:
//! When {} appears inside a shell command string (sh -c '...{}...'), filenames
//! with special characters can lead to command injection. The {} is expanded
//! by find BEFORE the shell parses the string, allowing malicious filenames
//! to inject arbitrary commands.
//!
//! **Important**: Unquoted {} as a separate argument (find -exec rm {} \;) is
//! SAFE because find passes the filename as a single argument. The shell never
//! interprets it.
//!
//! **Auto-fix**: Use positional parameters instead
//!
//! ## Examples
//!
//! ❌ **UNSAFE** (command injection via embedded {}):
//! ```bash
//! find . -exec sh -c 'echo {}' \;
//! find . -exec bash -c "rm {}" \;
//! ```
//!
//! ✅ **SAFE** (use positional parameters):
//! ```bash
//! find . -exec sh -c 'echo "$1"' _ {} \;
//! find . -exec bash -c 'rm "$1"' _ {} \;
//! ```
//!
//! ✅ **SAFE** ({} as separate argument - NOT in shell string):
//! ```bash
//! find . -exec rm {} \;
//! find . -exec chmod 644 {} +
//! ```

use crate::linter::{Diagnostic, Fix, LintResult, Severity, Span};

/// Check if a line has the dangerous find -exec pattern and return a diagnostic if so
fn check_find_exec_injection(line: &str, line_num: usize) -> Option<Diagnostic> {
    if !line.contains("find ") || !line.contains("-exec") {
        return None;
    }
    if !(line.contains("sh -c") || line.contains("bash -c")) || !line.contains("{}") {
        return None;
    }
    if !is_braces_in_shell_string(line) {
        return None;
    }
    let col = find_braces_in_quotes(line)?;
    let span = Span::new(line_num + 1, col + 1, line_num + 1, col + 3);
    Some(
        Diagnostic::new(
            "SEC003",
            Severity::Error,
            "Command injection: {} embedded in shell string. Use positional params: sh -c 'cmd \"$1\"' _ {}",
            span,
        )
        .with_fix(Fix::new("\"$1\"")),
    )
}

/// Check for {} embedded in shell command strings (dangerous injection vector)
pub fn check(source: &str) -> LintResult {
    if source.is_empty() { return LintResult::new(); }
    // Contract: safety-classifier-v1.yaml precondition (pv codegen)
    contract_pre_classify_injection!(source);
    let mut result = LintResult::new();
    for (line_num, line) in source.lines().enumerate() {
        if let Some(diag) = check_find_exec_injection(line, line_num) {
            result.add(diag);
        }
    }
    result
}

/// Check if {} appears inside a quoted string in the line
fn is_braces_in_shell_string(line: &str) -> bool {
    // Simple heuristic: check for patterns like '...{}...' or "...{}..."
    let single_quote_pattern = |s: &str| {
        let mut in_single = false;
        let mut found_braces_in_quote = false;
        let chars: Vec<char> = s.chars().collect();
        for i in 0..chars.len() {
            if chars[i] == '\'' {
                in_single = !in_single;
            }
            if in_single && i + 1 < chars.len() && chars[i] == '{' && chars[i + 1] == '}' {
                found_braces_in_quote = true;
            }
        }
        found_braces_in_quote
    };

    let double_quote_pattern = |s: &str| {
        let mut in_double = false;
        let mut found_braces_in_quote = false;
        let chars: Vec<char> = s.chars().collect();
        for i in 0..chars.len() {
            if chars[i] == '"' && (i == 0 || chars[i - 1] != '\\') {
                in_double = !in_double;
            }
            if in_double && i + 1 < chars.len() && chars[i] == '{' && chars[i + 1] == '}' {
                found_braces_in_quote = true;
            }
        }
        found_braces_in_quote
    };

    single_quote_pattern(line) || double_quote_pattern(line)
}

/// Find the column position of {} inside quotes
fn find_braces_in_quotes(line: &str) -> Option<usize> {
    let mut in_single = false;
    let mut in_double = false;
    let chars: Vec<char> = line.chars().collect();

    for i in 0..chars.len() {
        if chars[i] == '\'' && !in_double {
            in_single = !in_single;
        }
        if chars[i] == '"' && !in_single && (i == 0 || chars[i - 1] != '\\') {
            in_double = !in_double;
        }
        if (in_single || in_double) && i + 1 < chars.len() && chars[i] == '{' && chars[i + 1] == '}'
        {
            return Some(i);
        }
    }
    None
}

#[cfg(test)]
mod tests {
    use super::*;

    // ===== Tests for DANGEROUS pattern: sh -c with embedded {} =====

    #[test]
    fn test_SEC003_detects_sh_c_with_embedded_braces_single_quote() {
        // DANGEROUS: {} inside shell string - command injection risk
        let script = "find . -exec sh -c 'echo {}' \\;";
        let result = check(script);

        assert_eq!(result.diagnostics.len(), 1);
        let diag = &result.diagnostics[0];
        assert_eq!(diag.code, "SEC003");
        assert_eq!(diag.severity, Severity::Error);
        assert!(diag.message.contains("Command injection"));
    }

    #[test]
    fn test_SEC003_detects_bash_c_with_embedded_braces_double_quote() {
        // DANGEROUS: {} inside shell string with double quotes
        let script = r#"find . -exec bash -c "rm {}" \;"#;
        let result = check(script);

        assert_eq!(result.diagnostics.len(), 1);
    }

    #[test]
    fn test_SEC003_provides_fix_for_injection() {
        let script = "find . -exec sh -c 'cat {}' \\;";
        let result = check(script);

        assert_eq!(result.diagnostics.len(), 1);
        assert!(result.diagnostics[0].fix.is_some());
        let fix = result.diagnostics[0].fix.as_ref().unwrap();
        assert_eq!(fix.replacement, "\"$1\"");
    }

    // ===== Tests for SAFE patterns: {} as separate argument =====

    #[test]
    fn test_SEC003_no_warning_for_standard_find_exec() {
        // SAFE: {} as separate argument - find handles it, shell never sees it
        let script = r#"find . -name "*.sh" -exec chmod +x {} \;"#;
        let result = check(script);

        assert_eq!(result.diagnostics.len(), 0);
    }

    #[test]
    fn test_SEC003_no_warning_for_rm_with_braces() {
        // SAFE: {} as separate argument
        let script = "find /tmp -type f -exec rm {} \\;";
        let result = check(script);

        assert_eq!(result.diagnostics.len(), 0);
    }

    #[test]
    fn test_SEC003_no_warning_for_batch_mode() {
        // SAFE: {} with + batch mode
        let script = "find . -type f -exec chmod 644 {} +";
        let result = check(script);

        assert_eq!(result.diagnostics.len(), 0);
    }

    #[test]
    fn test_SEC003_no_false_positive_no_find() {
        let script = "echo {} something";
        let result = check(script);

        assert_eq!(result.diagnostics.len(), 0);
    }

    // REQ-FP-006: SEC003 MUST NOT flag unquoted {} in find -exec
    // Rationale: {} is handled by find, not the shell. Quoting provides no security benefit.
    #[test]
    fn test_SEC003_no_false_positive_find_exec_standard() {
        // Standard find -exec patterns - {} is handled by find, NOT the shell
        let script = r#"find . -name "*.txt" -exec rm {} \;
find . -type f -exec chmod 644 {} +"#;
        let result = check(script);

        assert_eq!(
            result.diagnostics.len(),
            0,
            "SEC003 must NOT flag {{}} in find -exec - it's handled by find, not the shell"
        );
    }

    #[test]
    fn test_SEC003_no_false_positive_find_execdir() {
        // execdir variant - same principle
        let script = "find . -execdir mv {} {}.bak \\;";
        let result = check(script);

        assert_eq!(result.diagnostics.len(), 0);
    }

    #[test]
    fn test_SEC003_safe_positional_params() {
        // SAFE: Using positional parameters correctly
        let script = r#"find . -exec sh -c 'echo "$1"' _ {} \;"#;
        let result = check(script);

        assert_eq!(result.diagnostics.len(), 0);
    }

    // ===== Mutation Coverage Tests - Following SEC001 pattern (100% kill rate) =====

    #[test]
    fn test_mutation_sec003_line_num_calculation() {
        // Tests line number calculation for multiline input
        let bash_code = "# comment\nfind . -exec sh -c 'echo {}' \\;";
        let result = check(bash_code);
        assert_eq!(result.diagnostics.len(), 1);
        // With +1: line 2, With *1: line 0
        assert_eq!(
            result.diagnostics[0].span.start_line, 2,
            "Line number must use +1, not *1"
        );
    }

    #[test]
    fn test_mutation_sec003_column_calculation() {
        // Tests column calculations
        let bash_code = "find . -exec sh -c 'echo {}' \\;";
        let result = check(bash_code);
        assert_eq!(result.diagnostics.len(), 1);
        let span = result.diagnostics[0].span;
        // {} is inside 'echo {}' - position should be after 'echo '
        assert!(
            span.start_col > 20,
            "Start column should be inside the quoted string"
        );
        assert_eq!(
            span.end_col - span.start_col,
            2,
            "Span should cover {{}} (2 chars)"
        );
    }

    #[test]
    fn test_mutation_sec003_double_quotes_detection() {
        // Tests detection in double-quoted strings
        let bash_code = r#"find . -exec bash -c "test {}" \;"#;
        let result = check(bash_code);
        assert_eq!(result.diagnostics.len(), 1);
    }

    #[test]
    fn test_mutation_sec003_requires_find_keyword() {
        // Ensure we only check find commands, not other sh -c
        let bash_code = "sh -c 'echo {}' \\;";
        let result = check(bash_code);
        assert_eq!(result.diagnostics.len(), 0);
    }

    #[test]
    fn test_mutation_sec003_requires_exec_flag() {
        // Ensure we require -exec, not just find with sh -c
        let bash_code = "find . -name '*.sh' | sh -c 'echo {}'";
        let result = check(bash_code);
        assert_eq!(result.diagnostics.len(), 0);
    }

    // Issue #87: SEC003 should NOT flag standard find -exec with {} as separate arg
    #[test]
    fn test_SEC003_issue_87_no_false_positive_dirname() {
        // From issue #87 reproduction case
        let script = r#"DIRS=$(find "$CORPUS" -name "Cargo.toml" -exec dirname {} \; 2>/dev/null | sort -u)"#;
        let result = check(script);

        assert_eq!(
            result.diagnostics.len(),
            0,
            "SEC003 must NOT flag {{}} in 'find -exec dirname {{}} \\;' - it's a separate argument, not embedded in shell string"
        );
    }

    #[test]
    fn test_SEC003_issue_87_no_false_positive_command_substitution() {
        // Another common pattern from issue
        let script = "FILES=$(find /path -type f -exec basename {} \\;)";
        let result = check(script);
        assert_eq!(result.diagnostics.len(), 0);
    }
}