Signaling processes or process groups can seriously affect the stability of this application or other applications on the same system.
Accidentally setting an incorrect PID or signal or allowing untrusted sources to assign arbitrary values to these
parameters may result in a denial of service.
Also, the system treats the signal differently if the destination PID is less than or equal to 0. This different behavior may affect
multiple processes with the same (E)UID simultaneously if the call is left uncontrolled.
Ask Yourself Whether
- The parameters
pid and sig are untrusted (they come from an external source).
- This function is triggered by non-administrators.
- Signal handlers on the target processes stop important functions.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
- For stateful applications with user management, ensure that only administrators trigger this code.
- Verify that the
pid and sig parameters are correct before using them.
- Ensure that the process sending the signals runs with as few OS privileges as possible.
- Isolate the process on the system based on its (E)UID.
- Ensure that the signal does not interrupt any essential functions when intercepted by a target’s signal handlers.
Sensitive Code Example
import os
@app.route("/kill-pid/<pid>")
def send_signal(pid):
os.kill(pid, 9) # Sensitive
@app.route("/kill-pgid/<pgid>")
def send_signal(pgid):
os.killpg(pgid, 9) # Sensitive
Compliant Solution
import os
@app.route("/kill-pid/<pid>")
def send_signal(pid):
# Validate the untrusted PID,
# With a pre-approved list or authorization checks
if is_valid_pid(pid):
os.kill(pid, 9)
@app.route("/kill-pgid/<pgid>")
def send_signal(pgid):
# Validate the untrusted PGID,
# With a pre-approved list or authorization checks
if is_valid_pgid(pgid):
os.kill(pgid, 9)
See
