Audit required: Starting a subprocess BAN-B606
Starting a process without a shell.
83 if pip:
84 os.system("pip install -U -r requirements.txt")
85
86 os.execl(sys.executable, sys.executable, "-m", self.__class__.__name__.lower()) 87 sys.exit()
88
89 @staticmethod
Description
Spawning of a subprocess in a way that doesn't use a shell is generally safe, but it maybe useful for penetration testing workflows to track where external system calls are used.
Python possesses many mechanisms to invoke an external executable. However, doing so may present a security issue if appropriate care is not taken to sanitize any user provided or variable input.
import os
# Creating subprocess:
# The following calls can be sensitive if the command is not sanitized, since they are starting a subprocess.
os.spawnl(mode, path, *cmd)
os.spawnle(mode, path, *cmd, env)
os.spawnlp(mode, file, *cmd)
os.spawnlpe(mode, file, *cmd, env)
os.spawnv(mode, path, cmd)
References:
- OWASP Top 10 2021 Category A03 - Injection
- SANS Top 25
- CWE-78