python.lang.security.audit.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string

returntocorp

Author

1,200

Download Count*

License

Found dynamic content in run_string. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code. Ensure no external data reaches here.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: dangerous-subinterpreters-run-string
    patterns:
      - pattern: |
          _xxsubinterpreters.run_string($ID, $PAYLOAD, ...)
      - pattern-not: |
          _xxsubinterpreters.run_string($ID, "...", ...)
    message: Found dynamic content in `run_string`. This is dangerous if external
      data can reach this function call because it allows a malicious actor to
      run arbitrary Python code. Ensure no external data reaches here.
    metadata:
      cwe: "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated
        Code ('Eval Injection')"
      owasp: "A1: Injection"
      references:
        - https://bugs.python.org/issue43472
      category: security
      technology:
        - python
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    severity: WARNING
    languages:
      - python

Examples

dangerous-subinterpreters-run-string.py

import _xxsubinterpreters

def run_payload(payload: str) -> None:
    # ruleid: dangerous-subinterpreters-run-string
    _xxsubinterpreters.run_string(_xxsubinterpreters.create(), payload)

def okRun():
    # ok: dangerous-subinterpreters-run-string
    _xxsubinterpreters.run_string(_xxsubinterpreters.create(), "print(123)")

Short Link: https://sg.run/rky6