python.django.security.injection.code.globals-misuse-code-execution.globals-misuse-code-execution

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
99,897
Download Count*

Found request data as an index to 'globals()'. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use 'globals()'.

Run Locally

Run in CI

Defintion

rules:
  - id: globals-misuse-code-execution
    message: Found request data as an index to 'globals()'. This is extremely
      dangerous because it allows an attacker to execute arbitrary code on the
      system. Refactor your code not to use 'globals()'.
    metadata:
      cwe:
        - "CWE-96: Improper Neutralization of Directives in Statically Saved
          Code ('Static Code Injection')"
      owasp:
        - A03:2021 - Injection
      references:
        - https://github.com/mpirnat/lets-be-bad-guys/blob/d92768fb3ade32956abd53bd6bb06e19d634a084/badguys/vulnerable/views.py#L181-L186
      category: security
      technology:
        - django
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - python
    severity: WARNING
    patterns:
      - pattern-inside: |
          def $FUNC(...):
            ...
      - pattern-either:
          - pattern: |
              $DATA = request.$W.get(...)
              ...
              $INTERM = globals().get($DATA, ...)
              ...
              $INTERM(...)
          - pattern: |
              $DATA = request.$W.get(...)
              ...
              $INTERM = globals().get("..." % $DATA, ...)
              ...
              $INTERM(...)
          - pattern: |
              $DATA = request.$W.get(...)
              ...
              $INTERM = globals().get(f"...{$DATA}...", ...)
              ...
              $INTERM(...)
          - pattern: |
              $DATA = request.$W.get(...)
              ...
              $INTERM = globals().get("...".format(..., $DATA, ...), ...)
              ...
              $INTERM(...)
          - pattern: |
              $DATA = request.$W.get(...)
              ...
              $INTERM = globals()[$DATA]
              ...
              $INTERM(...)
          - pattern: |
              $DATA = request.$W.get(...)
              ...
              $INTERM = globals()["..." % $DATA]
              ...
              $INTERM(...)
          - pattern: |
              $DATA = request.$W.get(...)
              ...
              $INTERM = globals()[f"...{$DATA}..."]
              ...
              $INTERM(...)
          - pattern: |
              $DATA = request.$W.get(...)
              ...
              $INTERM = globals()["...".format(..., $DATA, ...)]
              ...
              $INTERM(...)
          - pattern: |
              $DATA = request.$W(...)
              ...
              $INTERM = globals().get($DATA, ...)
              ...
              $INTERM(...)
          - pattern: |
              $DATA = request.$W(...)
              ...
              $INTERM = globals().get("..." % $DATA, ...)
              ...
              $INTERM(...)
          - pattern: |
              $DATA = request.$W(...)
              ...
              $INTERM = globals().get(f"...{$DATA}...", ...)
              ...
              $INTERM(...)
          - pattern: |
              $DATA = request.$W(...)
              ...
              $INTERM = globals().get("...".format(..., $DATA, ...), ...)
              ...
              $INTERM(...)
          - pattern: |
              $DATA = request.$W(...)
              ...
              $INTERM = globals()[$DATA]
              ...
              $INTERM(...)
          - pattern: |
              $DATA = request.$W(...)
              ...
              $INTERM = globals()["..." % $DATA]
              ...
              $INTERM(...)
          - pattern: |
              $DATA = request.$W(...)
              ...
              $INTERM = globals()[f"...{$DATA}..."]
              ...
              $INTERM(...)
          - pattern: |
              $DATA = request.$W(...)
              ...
              $INTERM = globals()["...".format(..., $DATA, ...)]
              ...
              $INTERM(...)
          - pattern: |
              $DATA = request.$W[...]
              ...
              $INTERM = globals().get($DATA, ...)
              ...
              $INTERM(...)
          - pattern: |
              $DATA = request.$W[...]
              ...
              $INTERM = globals().get("..." % $DATA, ...)
              ...
              $INTERM(...)
          - pattern: |
              $DATA = request.$W[...]
              ...
              $INTERM = globals().get(f"...{$DATA}...", ...)
              ...
              $INTERM(...)
          - pattern: |
              $DATA = request.$W[...]
              ...
              $INTERM = globals().get("...".format(..., $DATA, ...), ...)
              ...
              $INTERM(...)
          - pattern: |
              $DATA = request.$W[...]
              ...
              $INTERM = globals()[$DATA]
              ...
              $INTERM(...)
          - pattern: |
              $DATA = request.$W[...]
              ...
              $INTERM = globals()["..." % $DATA]
              ...
              $INTERM(...)
          - pattern: |
              $DATA = request.$W[...]
              ...
              $INTERM = globals()[f"...{$DATA}..."]
              ...
              $INTERM(...)
          - pattern: |
              $DATA = request.$W[...]
              ...
              $INTERM = globals()["...".format(..., $DATA, ...)]
              ...
              $INTERM(...)
          - pattern: |
              $DATA = request.$W
              ...
              $INTERM = globals().get($DATA, ...)
              ...
              $INTERM(...)
          - pattern: |
              $DATA = request.$W
              ...
              $INTERM = globals().get("..." % $DATA, ...)
              ...
              $INTERM(...)
          - pattern: |
              $DATA = request.$W
              ...
              $INTERM = globals().get(f"...{$DATA}...", ...)
              ...
              $INTERM(...)
          - pattern: |
              $DATA = request.$W
              ...
              $INTERM = globals().get("...".format(..., $DATA, ...), ...)
              ...
              $INTERM(...)
          - pattern: |
              $DATA = request.$W
              ...
              $INTERM = globals()[$DATA]
              ...
              $INTERM(...)
          - pattern: |
              $DATA = request.$W
              ...
              $INTERM = globals()["..." % $DATA]
              ...
              $INTERM(...)
          - pattern: |
              $DATA = request.$W
              ...
              $INTERM = globals()[f"...{$DATA}..."]
              ...
              $INTERM(...)
          - pattern: |
              $DATA = request.$W
              ...
              $INTERM = globals()["...".format(..., $DATA, ...)]
              ...
              $INTERM(...)

Examples

globals-misuse-code-execution.py

def unvalidated_forward(request):
    # ruleid: globals-misuse-code-execution
    forward = request.GET.get('fwd')
    function = globals().get(forward)

    if function:
        return function(request)

    env = {'fwd': forward}
    return render(request, 'vulnerable/redirects/forward_failed.html', env)

def admin(request):
    return render(request, 'vulnerable/redirects/admin.html', {})