python.lang.security.audit.dangerous-code-run.dangerous-interactive-code-run

profile photo of returntocorpreturntocorp
Author
1,200
Download Count*
LGPL Commons Clause
License

Found dynamic content inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code. Ensure no external data reaches here.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: dangerous-interactive-code-run
    patterns:
      - pattern-either:
          - pattern: |
              $X.push($PAYLOAD,...)
          - pattern: |
              $X.runsource($PAYLOAD,...)
          - pattern: |
              $X.runcode(code.compile_command($PAYLOAD),...)
          - pattern: |
              $PL = code.compile_command($PAYLOAD,...)
              ...
              $X.runcode($PL,...)
      - pattern-either:
          - pattern-inside: |
              $X = code.InteractiveConsole(...)
              ...
          - pattern-inside: |
              $X = code.InteractiveInterpreter(...)
              ...
      - pattern-not: |
          $X.push("...",...)
      - pattern-not: |
          $X.runsource("...",...)
      - pattern-not: |
          $X.runcode(code.compile_command("..."),...)
      - pattern-not: |
          $PL = code.compile_command("...",...)
          ...
          $X.runcode($PL,...)
    message: Found dynamic content inside InteractiveConsole/InteractiveInterpreter
      method. This is dangerous if external data can reach this function call
      because it allows a malicious actor to run arbitrary Python code. Ensure
      no external data reaches here.
    metadata:
      cwe: "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated
        Code ('Eval Injection')"
      owasp: "A1: Injection"
      category: security
      technology:
        - python
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    severity: WARNING
    languages:
      - python

Examples

dangerous-code-run.py

import code

def run_payload1(payload: str) -> None:
    console = code.InteractiveConsole()
    # ruleid: dangerous-interactive-code-run
    console.push(payload)

def run_payload2(payload: str) -> None:
    inperpreter = code.InteractiveInterpreter()
    # ruleid: dangerous-interactive-code-run
    inperpreter.runcode(code.compile_command(payload))

def run_payload3(payload: str) -> None:
    inperpreter = code.InteractiveInterpreter()
    # ruleid: dangerous-interactive-code-run
    pl = code.compile_command(payload)
    inperpreter.runcode(pl)

def run_payload4(payload: str) -> None:
    inperpreter = code.InteractiveInterpreter()
    # ruleid: dangerous-interactive-code-run
    inperpreter.runsource(payload)

def ok1() -> None:
    console = code.InteractiveConsole()
    console.push('print(123)')

def ok2() -> None:
    inperpreter = code.InteractiveInterpreter()
    inperpreter.runcode(code.compile_command('print(123)'))

def ok3() -> None:
    inperpreter = code.InteractiveInterpreter()
    pl = code.compile_command('print(123)')
    inperpreter.runcode(pl)

def ok4() -> None:
    inperpreter = code.InteractiveInterpreter()
    inperpreter.runsource('print(123)')