python.lang.security.audit.dangerous-asyncio-shell.dangerous-asyncio-shell

profile photo of returntocorpreturntocorp
Author
1,200
Download Count*
LGPL Commons Clause
License

Detected asyncio subprocess function without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: dangerous-asyncio-shell
    patterns:
      - pattern-either:
          - pattern: $LOOP.subprocess_shell($PROTOCOL, $CMD)
          - pattern: asyncio.subprocess.create_subprocess_shell($CMD, ...)
          - pattern: asyncio.create_subprocess_shell($CMD, ...)
      - pattern-not-inside: |
          $CMD = "..."
          ...
      - pattern-not: $LOOP.subprocess_shell($PROTOCOL, "...")
      - pattern-not: asyncio.subprocess.create_subprocess_shell("...", ...)
      - pattern-not: asyncio.create_subprocess_shell("...", ...)
    message: Detected asyncio subprocess function without a static string. If this
      data can be controlled by a malicious actor, it may be an instance of
      command injection. Audit the use of this call to ensure it is not
      controllable by an external resource. You may consider using
      'shlex.escape()'.
    metadata:
      owasp: "A1: Injection"
      cwe: "CWE-78: Improper Neutralization of Special Elements used in an OS Command
        ('OS Command Injection')"
      asvs:
        section: "V5: Validation, Sanitization and Encoding Verification Requirements"
        control_id: 5.3.8 OS Command Injection
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements
        version: "4"
      references:
        - https://docs.python.org/3/library/asyncio-subprocess.html
        - https://docs.python.org/3/library/shlex.html
      category: security
      technology:
        - python
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - python
    severity: ERROR

Examples

dangerous-asyncio-shell.py

import asyncio

class AsyncEventLoop:
    def __enter__(self):
        self.loop = asyncio.new_event_loop()
        asyncio.set_event_loop(self.loop)
        return self.loop

    def __exit__(self, *args):
        self.loop.close()

class WaitingProtocol(asyncio.SubprocessProtocol):
    def __init__(self, exit_future):
        self.exit_future = exit_future

    def process_exited(self):
        self.exit_future.set_result(True)

def vuln1(shell_command):
    with AsyncEventLoop() as loop:
        exit_future = asyncio.Future(loop=loop)
        # ruleid: dangerous-asyncio-shell
        transport, _ = loop.run_until_complete(loop.subprocess_shell(lambda: WaitingProtocol(exit_future), shell_command))
        loop.run_until_complete(exit_future)
        transport.close()

def vuln2(shell_command):
    with AsyncEventLoop() as loop:
        # ruleid: dangerous-asyncio-shell
        proc = loop.run_until_complete(asyncio.subprocess.create_subprocess_shell(shell_command))
        loop.run_until_complete(proc.wait())

def ok1():
    shell_command = 'echo "Hello world"'

    with AsyncEventLoop() as loop:
        exit_future = asyncio.Future(loop=loop)
        # ok: dangerous-asyncio-shell
        transport, _ = loop.run_until_complete(loop.subprocess_shell(lambda: WaitingProtocol(exit_future), shell_command))
        loop.run_until_complete(exit_future)
        transport.close()

def ok2():
    with AsyncEventLoop() as loop:
        # ok: dangerous-asyncio-shell
        proc = loop.run_until_complete(asyncio.subprocess.create_subprocess_shell('echo "foobar"'))
        loop.run_until_complete(proc.wait())