gitlab.bandit.B606
385
Download Count*
License
Found dynamic content when spawning a process. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Ensure no external data reaches here.
Run Locally
Run in CI
Defintion
rules:
- id: bandit.B606
patterns:
- pattern-either:
- patterns:
- pattern-not: os.$W("...", ...)
- pattern-either:
- pattern: os.execl(...)
- pattern: os.execle(...)
- pattern: os.execlp(...)
- pattern: os.execlpe(...)
- pattern: os.execv(...)
- pattern: os.execve(...)
- pattern: os.execvp(...)
- pattern: os.execvpe(...)
- pattern: os.startfile(...)
- patterns:
- pattern-not: os.$W($MODE, "...", ...)
- pattern-either:
- pattern: os.spawnl(...)
- pattern: os.spawnle(...)
- pattern: os.spawnlp(...)
- pattern: os.spawnlpe(...)
- pattern: os.spawnv(...)
- pattern: os.spawnve(...)
- pattern: os.spawnvp(...)
- pattern: os.spawnvpe(...)
message: >
Found dynamic content when spawning a process. This is dangerous if
external
data can reach this function call because it allows a malicious actor to
execute commands. Ensure no external data reaches here.
metadata:
cwe: "CWE-78: Improper Neutralization of Special Elements used in an OS Command
('OS Command Injection')"
owasp: "A1: Injection"
primary_identifier: bandit.B606
secondary_identifiers:
- name: Bandit Test ID B606
type: bandit_test_id
value: B606
license: MIT
severity: WARNING
languages:
- python
Short Link: https://sg.run/kLQA