gitlab.bandit.B602

385
Download Count*
MIT
License

Found 'subprocess' function '$FUNC' with 'shell=True'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use 'shell=False' instead.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: bandit.B602
    patterns:
      - pattern-not: subprocess.$FUNC(..., shell=False, ...)
      - pattern-not: subprocess.$FUNC(..., shell=False)
      - pattern-not: subprocess.$FUNC(..., shell=0)
      - pattern-not: subprocess.$FUNC(..., shell=[])
      - pattern-not: subprocess.$FUNC(..., shell={})
      - pattern-not: subprocess.$FUNC(..., shell=None)
      - pattern-either:
          - pattern: subprocess.$FUNC(..., shell=True, ...)
          - pattern: subprocess.$FUNC(..., shell='True', ...)
          - pattern: subprocess.$FUNC(..., shell='False', ...)
          - pattern: subprocess.$FUNC(..., shell='None', ...)
          - pattern: subprocess.$FUNC(..., shell=$X, ...)
    message: >
      Found 'subprocess' function '$FUNC' with 'shell=True'. This is dangerous
      because this call will spawn

      the command using a shell process. Doing so propagates current shell settings and variables, which

      makes it much easier for a malicious actor to execute commands. Use 'shell=False' instead.
    metadata:
      cwe: "CWE-78: Improper Neutralization of Special Elements used in an OS Command
        ('OS Command Injection')"
      owasp: "A1: Injection"
      primary_identifier: bandit.B602
      secondary_identifiers:
        - name: Bandit Test ID B602
          type: bandit_test_id
          value: B602
      license: MIT
    severity: ERROR
    languages:
      - python