Audit required: Possible wildcard injection in call:
subprocess.Popen BAN-B609Possible wildcard injection in call: subprocess.Popen
107def tar_something():
108 context = ssl._create_stdlib_context()
109 os.tempnam("dir1")
110 subprocess.Popen("/bin/chown *", shell=True)111 o.system("/bin/tar xvzf *")
112 subprocess.run(["clear"])
113
Description
The use of partially qualified paths may result in unintended consequences if an unexpected file or symlink is placed into the path location given. This becomes particularly dangerous when combined with commands used to manipulate file permissions or copy data off of a system.
Python provides a number of methods that emulate the behavior of standard Linux command line utilities. Like their Linux counterparts, these commands may take a wildcard “” character in place of a file system path. This is interpreted to mean “any and all files or folders” and can be used to build partially qualified paths, such as “/home/user/”.
Bad practice
import subprocess
subprocess.Popen("/bin/chown *") # Sensitive, unexpected file may be placed in location
Recommended
import subprocess
subprocess.Popen("/bin/chown /home/user/some_file") # Fixed path provided