How to scan file(s) which is dynamically uploaded

Manish · January 17, 2023, 10:06am

I have a use case where in user will upload some python/shell file on my application. My application allows user to run these scripts on a server. Before running this script I want to validate if script has any security vulnerability or if its following certain best practices. Since user is uploading this script on my application, its not tied to CI/CD pipeline, how can I use SonarQube to meet this use case?

If I upload the user script on say some S3 bucket, will it possible to run the scan pointing to that location. What would be the best solution for this kind of use case.

ganncamp · January 23, 2023, 5:27pm

Hi,

It seems like you’ll need to upload to a quarantined area & then invoke analysis on the upload. But I’m wondering what you hope SonarQube analysis will do? You’re looking to find issues in the uploaded code? And then what?

This (executing uploaded code) seems to be a fundamentally risky undertaking, and simply analyzing isn’t going to increase your security.

Ann