Shell Running A Pipe Without Pipefail Flag

  • Query id: efbf148a-67e9-42d2-ac47-02fa1c0d0b22
  • Query name: Shell Running A Pipe Without Pipefail Flag
  • Platform: Dockerfile
  • Severity: Medium
  • Category: Insecure Defaults
  • URL: Github

Description

Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o).
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - dockerfile file
FROM node:12
RUN zsh ./some_output | ./some_script
RUN [ "/bin/bash", "./some_output", "|", "./some_script" ]

Code samples without security vulnerabilities

Negative test num. 1 - dockerfile file
FROM node:12
RUN pwsh SOME_CMD | SOME_OTHER_CMD
SHELL [ "zsh", "-o","pipefail" ]
RUN zsh ./some_output | ./some_script
SHELL [ "/bin/bash", "-o","pipefail" ]
RUN [ "/bin/bash", "./some_output", "./some_script" ]