Starting a process with a shell detected BAN-B605
Starting a process with a shell, possible injection detected, security issue.
64 "Tag the current version as a release on Github."
65 assert "working tree clean" in c.run("git status").stdout
66 version = open("VERSION").read().strip()
67 os.system(f"hub release create {version}") # interactive 68
69
70pydoc_template = """Starting a process with a shell, possible injection detected, security issue.
91 for fname in glob.glob("tarproclib/*.py"):
92 module, ext = os.path.splitext(fname)
93 module = re.sub("/", ".", module)
94 with os.popen(f"{ACTIVATE}{PYTHON3} -m pydoc {module}") as stream: 95 text = stream.read()
96 document += pydoc_template.format(text=text, module=module)
97 with open("docs/pydoc.md", "w") as stream:Starting a process with a shell, possible injection detected, security issue.
98 stream.write(document)
99 document = ""
100 for command in commands:
101 with os.popen(f"{ACTIVATE}{PYTHON3}{command} --help ") as stream:102 text = stream.read()
103 text = re.sub("```", "", text)
104 document = command_template.format(text=text, command=command)Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell
109@task(gendocs)
110def pubdocs(c):
111 "Generate and publish docs."
112 modified = os.popen("git status").readlines()113 for line in modified:
114 if "modified:" in line and ".md" not in line:
115 print("non-documentation file modified; commit manually", file=sys.stderr)
Description
Spawning of a subprocess using a command shell is dangerous as it is vulnerable to various shell injection attacks. Great care should be taken to sanitize all input in order to mitigate this risk. Calls of this type are identified by the use of certain commands which are known to use shells.
It is possible for an attacker to craft inputs to issue different commands than the ones you intended such as removing a file.
It is recommended to use functions that don't spawn a shell. If you must use them, use shlex.quote to sanitize the input by changing it to the shell-escaped version.
Bad practice
import os
# Malicious input
filename = "file.py; echo foo"
# Executing command in a shell without escaping. This will also run `echo foo`.
os.system("git add " + filename)
Recommended
import os, shlex
# Malicious input
filename = "file.py; echo foo"
# This ensures someone can't inject other commands into the given command.
os.system("git add " + shlex.quote(filename))
References:
- Command Injection
- shlex
- OWASP Top 10 2021 Category A03 - Injection
- SANS Top 25
- CWE-78