python.lang.security.audit.dangerous-subinterpreters-run-string-audit.dangerous-subinterpreters-run-string-audit

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Found dynamic content in run_string. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code. Ensure no external data reaches here.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: dangerous-subinterpreters-run-string-audit
    patterns:
      - pattern: |
          _xxsubinterpreters.run_string($ID, $PAYLOAD, ...)
      - pattern-not: |
          _xxsubinterpreters.run_string($ID, "...", ...)
    message: Found dynamic content in `run_string`. This is dangerous if external
      data can reach this function call because it allows a malicious actor to
      run arbitrary Python code. Ensure no external data reaches here.
    metadata:
      cwe:
        - "CWE-95: Improper Neutralization of Directives in Dynamically
          Evaluated Code ('Eval Injection')"
      owasp:
        - A03:2021 - Injection
      references:
        - https://bugs.python.org/issue43472
        - https://semgrep.dev/docs/cheat-sheets/python-command-injection/
      category: security
      technology:
        - python
      confidence: LOW
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Code Injection
    severity: WARNING
    languages:
      - python

Examples

dangerous-subinterpreters-run-string-audit.py

import _xxsubinterpreters

def run_payload(payload: str) -> None:
    # ruleid: dangerous-subinterpreters-run-string-audit
    _xxsubinterpreters.run_string(_xxsubinterpreters.create(), payload)

def okRun():
    # ok: dangerous-subinterpreters-run-string-audit
    _xxsubinterpreters.run_string(_xxsubinterpreters.create(), "print(123)")