popen call with shell equals True BAN-B60262 import platform
63 import subprocess
64 subprocess.run(f'title Python {platform.python_version()} Shell',
65 shell=True, check=True)66 del subprocess
67 del platform
68 args = []123
124 creation_date = path.stat().st_mtime
125 cmd = self._command(filename, text, jumpIndex)
126 subprocess.run(cmd, shell=platform == 'win32', check=True)127 last_change_date = path.stat().st_mtime
128
129 if last_change_date == creation_date:120 except ModuleNotFoundError:
121 check_call(f'pip install {module}', shell=True)
122 else:
123 check_call(f'pip install --upgrade {module}', shell=True)124 else:
125 for module in ('build', 'twine'):
126 try:118 try:
119 import_module(module)
120 except ModuleNotFoundError:
121 check_call(f'pip install {module}', shell=True)122 else:
123 check_call(f'pip install --upgrade {module}', shell=True)
124 else:Using shell=True can expose you to security risks if someone crafts input to issue different commands than the ones you intended.
Python possesses many mechanisms to invoke an external executable. However, doing so may present a security issue if appropriate care is not taken to sanitize any user-provided or variable input. Subprocess invocation using a command shell is dangerous as it is vulnerable to various shell injection attacks. It is possible for an attacker to craft inputs to issue different commands than the ones you intended, for example: removing a file.
Great care should be taken to sanitize all input in order to mitigate this risk. Calls of this type are identified by a parameter of shell=True being given.
It is recommended to use functions that don't spawn a shell. If you must use them, use shlex.quote to sanitize the input.
Bad practice
import subprocess
subprocess.Popen(cmd, shell=True) # Sensitive, shell spawned
Recommended
import subprocess
subprocess.Popen(cmd)
References:
- subprocess.popen
- Subprocess security considerations
- shlex
- Command Injection
- OWASP Top 10 2021 Category A03 - Injection
- SANS Top 25
- CWE-78