Semgrep Registry - python.flask.security.injection.user-exec.exec-injection

Detected user data flowing into exec. This is code injection and should be avoided.

Defintion

rules:
  - id: exec-injection
    languages:
      - python
    severity: ERROR
    message: Detected user data flowing into exec. This is code injection and should
      be avoided.
    metadata:
      cwe:
        - "CWE-95: Improper Neutralization of Directives in Dynamically
          Evaluated Code ('Eval Injection')"
      owasp:
        - A03:2021 - Injection
      references:
        - https://nedbatchelder.com/blog/201206/exec_really_is_dangerous.html
      category: security
      technology:
        - flask
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: HIGH
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    pattern-either:
      - patterns:
          - pattern: exec(...)
          - pattern-either:
              - pattern-inside: |
                  @$APP.route($ROUTE, ...)
                  def $FUNC(..., $ROUTEVAR, ...):
                    ...
                    exec(..., <... $ROUTEVAR ...>, ...)
              - pattern-inside: |
                  @$APP.route($ROUTE, ...)
                  def $FUNC(..., $ROUTEVAR, ...):
                    ...
                    $INTERM = <... $ROUTEVAR ...>
                    ...
                    exec(..., <... $INTERM ...>, ...)
      - pattern: exec(..., <... flask.request.$W.get(...) ...>, ...)
      - pattern: exec(..., <... flask.request.$W[...] ...>, ...)
      - pattern: exec(..., <... flask.request.$W(...) ...>, ...)
      - pattern: exec(..., <... flask.request.$W ...>, ...)
      - patterns:
          - pattern-inside: |
              $INTERM = <... flask.request.$W.get(...) ...>
              ...
              exec(..., <... $INTERM ...>, ...)
          - pattern: exec(...)
      - patterns:
          - pattern-inside: |
              $INTERM = <... flask.request.$W[...] ...>
              ...
              exec(..., <... $INTERM ...>, ...)
          - pattern: exec(...)
      - patterns:
          - pattern-inside: |
              $INTERM = <... flask.request.$W(...) ...>
              ...
              exec(..., <... $INTERM ...>, ...)
          - pattern: exec(...)
      - patterns:
          - pattern-inside: |
              $INTERM = <... flask.request.$W ...>
              ...
              exec(..., <... $INTERM ...>, ...)
          - pattern: exec(...)

import flask app = flask.Flask(__name__) @app.route("/route_param/<route_param>") def route_param(route_param): print("blah") # ruleid: exec-injection return exec(route_param) @app.route("/route_param_ok/<route_param>") def route_param_ok(route_param): print("blah") # ok: exec-injection return exec("this is safe") @app.route("/get_param", methods=["GET"]) def get_param(): param = flask.request.args.get("param") # ruleid: exec-injection exec(param) @app.route("/get_param_ok", methods=["GET"]) def get_param_ok(): param = flask.request.args.get("param") # ok: exec-injection exec("this is safe") @app.route("/get_param_inline_concat", methods=["GET"]) def get_param_inline_concat(): # ruleid: exec-injection exec("import " + flask.request.args.get("param")) @app.route("/get_param_concat", methods=["GET"]) def get_param_concat(): param = flask.request.args.get("param") # ruleid: exec-injection exec(param + "+ 'hello'") @app.route("/get_param_format", methods=["GET"]) def get_param_format(): param = flask.request.args.get("param") # ruleid: exec-injection exec("import {}".format(param)) @app.route("/get_param_percent_format", methods=["GET"]) def get_param_percent_format(): param = flask.request.args.get("param") # ruleid: exec-injection exec("import %s" % (param,)) @app.route("/post_param", methods=["POST"]) def post_param(): param = flask.request.form['param'] if True: # ruleid: exec-injection exec(param) @app.route("/format", methods=["POST"]) def format(): param = "{}".format(flask.request.form['param']) print("do things") # ruleid: exec-injection exec(param) @app.route("/ok") def ok(): exec("This is fine")

python.flask.security.injection.user-exec.exec-injection

Run Locally

Run in CI

Defintion

Examples

user-exec.py