Try in Playground


No tags


Make sure that programs do not let write permissions for all users. When using os.chmod, the user should never use S_IWOTH that gives the permission to all users to write the file on the filesystem.

Instead, this permission should be removed, and proper control access should be configured.

See the following related CWE:

  • CWE-275 category - Permission Issues
  • CWE-280 - Improper Handling of Insufficient Permissions or Privileges

Pattern Rule: os.chmod(${file}, ${mode})


How to write a rule
function visit(pattern, filename, code) {
  const mode = pattern.variables.get("mode");
  if(filename.includes("") || filename.startsWith("test_")) {

  if (mode.value.includes("stat.S_IWOTH")) {
    const error = buildError(mode.start.line, mode.start.col, mode.end.line, mode.end.col, "file can be written by others", "CRITICAL", "security");
    const filename = pattern.variables.get("file").value;
    const modes = mode.value.replaceAll(" ", "").split("|").filter(e => e !== "stat.S_IWOTH");
    const newModes = modes.join(" | ");
    const edit = buildEdit(mode.start.line, mode.start.col, mode.end.line, mode.end.col, "update", newModes);
    const fix = buildFix("remove the write flag", [edit]);


Expected test result: no error

no error since this is a test file

import stat

path = "/path/to/file"
os.chmod(path, stat.S_IROTH | stat.S_IWOTH | stat.S_IXOTH)

Expected test result: no error

No write for all

import stat

path = "/path/to/file"
os.chmod(path, stat.S_IROTH | stat.S_IXOTH)

Expected test result: has error

Giving permission to everybody to write files

import stat

path = "/path/to/file"
os.chmod(path, stat.S_IROTH | stat.S_IWOTH | stat.S_IXOTH)
Add comment

Log in to add a comment

    Be the first one to leave a comment!

Codiga Logo
Codiga Hub
  • Rulesets
  • Playground
  • Snippets
  • Cookbooks
soc-2 icon

We are SOC-2 Compliance Certified

G2 high performer medal

Codiga – All rights reserved 2022.