Unsafe Global IFS Modification in OS400 Shell Script Enables Command Injection and Parsing Flaws (CWE-78/CWE-20)

In the curl source repository, the OS400 initialization script (packages/OS400/make-incs.sh) modifies the global shell variable IFS (Internal Field Separator) without local scoping or restoration. This pattern exposes users and CI/CD systems to unintended parsing, command injection, and logic errors if the environment or invoker is attacker-controlled or untrusted. Shell scripts that alter process-wide environment variables in this way are vulnerable to privilege escalation and unpredictable execution, especially where user input or automated tooling is involved. This issue and its report were identified and compiled with the assistance of an AI security agent to ensure a thorough technical review and reproduction. Affected version Confirmed on the curl master branch (as of August 2025) and present in all current/active releases for Unix-like systems where the OS400 build scripts are executed. Example version: curl 8.1.2 (x86_64-pc-linux-gnu) libcurl/8.1.2 OpenSSL/3.0.7 zlib/1.2.13 brotli/1.0.9 zstd/1.5.2 libidn2/2.3.4 nghttp2/1.51.0 Platform: Linux/macOS/AIX/OS400 Steps To Reproduce: Clone or download the curl GitHub repository. Open packages/OS400/make-incs.sh and search for occurrences of IFS using: grep -n IFS packages/OS400/make-incs.sh Observe lines that reassign IFS globally (e.g., IFS="$IFS,") without scoping or restoring its prior value. Review script logic to confirm IFS is not contained in a subshell or temporary assignment, enabling persistent global effect. Cross-reference with Semgrep/static analysis rules for shell injection/unsafe IFS usage. Supporting Material/References: File: packages/OS400/make-incs.sh (any lines manipulating IFS) Semgrep/static analysis results highlighting improper use of IFS in shell scripts curl/curl GitHub repository (Attach scan logs/screenshots if available) Mitigation Plan Audit all script locations where IFS is modified: Use grep -n IFS packages/OS400/make-incs.sh to identify unsafe or global IFS assignments. Apply local scoping and restoration for IFS changes: Constrain IFS modifications to the smallest possible scope—ideally, declare them within a loop or subshell, not at script global level. Use inline assignments such as while IFS=, read ...; do ...; done. Alternatively, always save the original IFS value before any change, and restore it immediately after: old_IFS="$IFS" IFS=, # ... commands using new IFS ... IFS="$old_IFS" Integrate static analysis in CI/CD: Add Semgrep or ShellCheck rules to your CI pipeline to automatically detect and block unsafe global variable manipulations and shell injection patterns before merge. Document secure shell scripting and input parsing practices: Add clear development guidelines for contributors, highlighting the risks of global variable changes and best practices for safe parsing. Review and test: After refactoring, test all affected scripts in all supported environments to ensure there are no functional regressions and that environment state is always predictable. Implementing these steps will protect against command injection, parsing errors, and unintended side effects—greatly improving both the security posture and stability of scripting within the curl project. ## Impact ## Summary: Manipulating the IFS variable globally within a shared or multi-user shell environment can: Enable attackers to exploit parsing logic for command injection, privilege escalation, or unintended code execution. Break automation and CI/CD workflows by introducing parsing bugs or unpredictable script behavior. Undermine the expected environment security for any scripts, processes, or users sharing the shell session. In some cases, lead to lateral movement within automated build pipelines or on developer systems. Severity is typically High because of the elevated risk in CI and scripting contexts, especially if untrusted input is ever processed. Most relevant CWE are CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') and CWE-20: Improper Input Validation.