BAN-B602 · Detected subprocess `popen` call with shell equals `True`

Detected subprocess popen call with shell equals True BAN-B602

Security

Major

2 years ago — 4 years old

subprocess call with shell=True identified, security issue.

335                current_path = current_path.replace("/", f"{os.sep}")
336            if os.path.isdir(current_path):
337                print(f"Running: cd {current_path} && {command} ".replace("\'",""))
338                subprocess.Popen(f"cd {current_path} && {command} ".replace("\'",""), shell=True)339            elif os.path.isfile(current_path):
340                print(f"Running: {command} {current_path}".replace("\'",""))
341                subprocess.Popen(f"{command} {current_path}".replace("\'",""), shell=True)

subprocess call with shell=True identified, security issue.

ahd/cli.py

347            current_path = current_path.replace("/", f"{os.sep}")
348        if os.path.isdir(current_path):
349            print(f"Running: cd {paths[0]} && {command} ".replace("\'",""))
350            subprocess.Popen(f"cd {paths[0]} && {command} ".replace("\'",""), shell=True)351        elif os.path.isfile(current_path):
352            print(f"Running: {command} {current_path}".replace("\'",""))
353            subprocess.Popen(f"{command} {current_path}".replace("\'",""), shell=True)

subprocess call with shell=True identified, security issue.

ahd/cli.py

338                subprocess.Popen(f"cd {current_path} && {command} ".replace("\'",""), shell=True)
339            elif os.path.isfile(current_path):
340                print(f"Running: {command} {current_path}".replace("\'",""))
341                subprocess.Popen(f"{command} {current_path}".replace("\'",""), shell=True)342
343    else: # if only a single path is specified instead of a 'list' of them
344        current_path = paths[0]

subprocess call with shell=True identified, security issue.

ahd/cli.py

350            subprocess.Popen(f"cd {paths[0]} && {command} ".replace("\'",""), shell=True)
351        elif os.path.isfile(current_path):
352            print(f"Running: {command} {current_path}".replace("\'",""))
353            subprocess.Popen(f"{command} {current_path}".replace("\'",""), shell=True)354
355
356def _preprocess_paths(paths:str) -> str:

Description

Using shell=True can expose you to security risks if someone crafts input to issue different commands than the ones you intended.

Python possesses many mechanisms to invoke an external executable. However, doing so may present a security issue if appropriate care is not taken to sanitize any user-provided or variable input. Subprocess invocation using a command shell is dangerous as it is vulnerable to various shell injection attacks. It is possible for an attacker to craft inputs to issue different commands than the ones you intended, for example: removing a file.

Great care should be taken to sanitize all input in order to mitigate this risk. Calls of this type are identified by a parameter of shell=True being given.

It is recommended to use functions that don't spawn a shell. If you must use them, use shlex.quote to sanitize the input.

Bad practice

import subprocess

subprocess.Popen(cmd, shell=True)  # Sensitive, shell spawned

References:

subprocess.popen
Subprocess security considerations
shlex
Command Injection
OWASP Top 10 2021 Category A03 - Injection
SANS Top 25
CWE-78

Descent098 / ahd

Bad practice

Recommended

References: