python.flask.security.injection.user-exec.exec-injection
Verifed by r2c
Community Favorite

Author
180,616
Download Count*
License
Detected user data flowing into exec. This is code injection and should be avoided.
Run Locally
Run in CI
Defintion
rules:
- id: exec-injection
languages:
- python
severity: ERROR
message: Detected user data flowing into exec. This is code injection and should
be avoided.
metadata:
cwe:
- "CWE-95: Improper Neutralization of Directives in Dynamically
Evaluated Code ('Eval Injection')"
owasp:
- A03:2021 - Injection
references:
- https://nedbatchelder.com/blog/201206/exec_really_is_dangerous.html
category: security
technology:
- flask
subcategory:
- vuln
likelihood: MEDIUM
impact: HIGH
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Code Injection
pattern-either:
- patterns:
- pattern: exec(...)
- pattern-either:
- pattern-inside: |
@$APP.route($ROUTE, ...)
def $FUNC(..., $ROUTEVAR, ...):
...
exec(..., <... $ROUTEVAR ...>, ...)
- pattern-inside: |
@$APP.route($ROUTE, ...)
def $FUNC(..., $ROUTEVAR, ...):
...
$INTERM = <... $ROUTEVAR ...>
...
exec(..., <... $INTERM ...>, ...)
- pattern: exec(..., <... flask.request.$W.get(...) ...>, ...)
- pattern: exec(..., <... flask.request.$W[...] ...>, ...)
- pattern: exec(..., <... flask.request.$W(...) ...>, ...)
- pattern: exec(..., <... flask.request.$W ...>, ...)
- patterns:
- pattern-inside: |
$INTERM = <... flask.request.$W.get(...) ...>
...
exec(..., <... $INTERM ...>, ...)
- pattern: exec(...)
- patterns:
- pattern-inside: |
$INTERM = <... flask.request.$W[...] ...>
...
exec(..., <... $INTERM ...>, ...)
- pattern: exec(...)
- patterns:
- pattern-inside: |
$INTERM = <... flask.request.$W(...) ...>
...
exec(..., <... $INTERM ...>, ...)
- pattern: exec(...)
- patterns:
- pattern-inside: |
$INTERM = <... flask.request.$W ...>
...
exec(..., <... $INTERM ...>, ...)
- pattern: exec(...)
Examples
user-exec.py
import flask
app = flask.Flask(__name__)
@app.route("/route_param/<route_param>")
def route_param(route_param):
print("blah")
# ruleid: exec-injection
return exec(route_param)
@app.route("/route_param_ok/<route_param>")
def route_param_ok(route_param):
print("blah")
# ok: exec-injection
return exec("this is safe")
@app.route("/get_param", methods=["GET"])
def get_param():
param = flask.request.args.get("param")
# ruleid: exec-injection
exec(param)
@app.route("/get_param_ok", methods=["GET"])
def get_param_ok():
param = flask.request.args.get("param")
# ok: exec-injection
exec("this is safe")
@app.route("/get_param_inline_concat", methods=["GET"])
def get_param_inline_concat():
# ruleid: exec-injection
exec("import " + flask.request.args.get("param"))
@app.route("/get_param_concat", methods=["GET"])
def get_param_concat():
param = flask.request.args.get("param")
# ruleid: exec-injection
exec(param + "+ 'hello'")
@app.route("/get_param_format", methods=["GET"])
def get_param_format():
param = flask.request.args.get("param")
# ruleid: exec-injection
exec("import {}".format(param))
@app.route("/get_param_percent_format", methods=["GET"])
def get_param_percent_format():
param = flask.request.args.get("param")
# ruleid: exec-injection
exec("import %s" % (param,))
@app.route("/post_param", methods=["POST"])
def post_param():
param = flask.request.form['param']
if True:
# ruleid: exec-injection
exec(param)
@app.route("/format", methods=["POST"])
def format():
param = "{}".format(flask.request.form['param'])
print("do things")
# ruleid: exec-injection
exec(param)
@app.route("/ok")
def ok():
exec("This is fine")
Short Link: https://sg.run/Ge42