contrib.dlint.dlint-equivalent.insecure-os-exec-use

profile photo of returntocorpreturntocorp
Author
221
Download Count*
BSD 3-Clause "New" or "Revised" License
License

The Python 'os' execution functions are not secure against maliciously constructed input

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: insecure-os-exec-use
    message: The Python 'os' execution functions are not secure against maliciously
      constructed input
    languages:
      - python
    severity: WARNING
    metadata:
      source_rule_url: https://github.com/dlint-py/dlint/blob/master/docs/linters/DUO106.md
      category: security
      technology:
        - python
      references:
        - https://github.com/dlint-py/dlint/blob/master/docs/linters/DUO106.md
      owasp:
        - A01:2017 - Injection
        - A03:2021 - Injection
      cwe:
        - "CWE-78: Improper Neutralization of Special Elements used in an OS
          Command ('OS Command Injection')"
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    pattern-either:
      - patterns:
          - pattern: os.popen(...)
          - pattern-not: os.popen("...")
      - patterns:
          - pattern: os.popen2(...)
          - pattern-not: os.popen2("...")
      - patterns:
          - pattern: os.popen3(...)
          - pattern-not: os.popen3("...")
      - patterns:
          - pattern: os.popen4(...)
          - pattern-not: os.popen4("...")
      - patterns:
          - pattern: os.system(...)
          - pattern-not: os.system("...")