This rule is deprecated, and will eventually be removed.

Sending OS signals without validating the target process ID or signal type can seriously affect the stability of the application or other processes on the system.

Why is this an issue?

OS signals control process execution: they can pause, terminate, or interrupt a process. When the destination PID or signal type are derived from untrusted input without validation, an attacker can target arbitrary processes, including processes they do not own. Additionally, using a non-positive PID sends the signal to an entire process group simultaneously, multiplying the impact of an uncontrolled call.

What is the potential impact?

Denial of service

An attacker who controls the PID or signal value can terminate or interrupt arbitrary processes, including critical system services. This can crash the application, destabilize the host, or deny service to all other users of the system.

How to fix it

Code examples

The following code passes a process identifier received directly from user input to the signal function.

Noncompliant code example

import os

@app.route("/kill-pid/<pid>")
def send_signal(pid):
    os.kill(pid, 9)  # Noncompliant

@app.route("/kill-pgid/<pgid>")
def send_signal(pgid):
    os.killpg(pgid, 9)  # Noncompliant

Compliant solution

import os

@app.route("/kill-pid/<pid>")
def send_signal(pid):
    # Validate the untrusted PID,
    # With a pre-approved list or authorization checks
    if is_valid_pid(pid):
        os.kill(pid, 9)

@app.route("/kill-pgid/<pgid>")
def send_signal(pgid):
    # Validate the untrusted PGID,
    # With a pre-approved list or authorization checks
    if is_valid_pgid(pgid):
        os.kill(pgid, 9)

Resources

Documentation

• kill(1) — Linux manual page
• kill(2) — Linux manual page

Standards

• CWE - CWE-283 - Unverified Ownership