Qt-Security-QProcessStart

Check QProcess::start and others

Required inputs: IR

Qt's QProcess class allows to start external programs. This rule flags all calls to QProcess::start(), QProcess::exec(), QProcess::startDetached() and QProcess::setProgram() that use a relative path to the executable. This is dangerous as on Unix-like systems the executable is first searched for in the PATH environment variable. If the executable is not found there, the current working directory is searched. This may allow an attacker to execute malicious code by placing an executable file in the current working directory.

Possible Messages

Key	Text	Severity	Disabled
executable_called_by_name	Executable called without absolute path via {}.	None	False
program_not_determinable	The program called could not be determined at compile time.	None	False

Options

• This rule shares the following common options: exclude_in_macros, exclude_messages_in_system_headers, excludes, extend_exclude_to_macro_invocations, includes, justification_checker, languages, post_processing, provider, report_at, severity

• The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions

• This rule has no individual options.