python.lang.security.audit.dangerous-system-call-audit.dangerous-system-call-audit
returntocorpAuthor
unknown
Download Count*
License
Found dynamic content used in a system call. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Use the 'subprocess' module instead, which is easier to use without accidentally exposing a command injection vulnerability.
Run Locally
Run in CI
Defintion
rules:
- id: dangerous-system-call-audit
patterns:
- pattern-not: os.$W("...", ...)
- pattern-either:
- pattern: os.system(...)
- pattern: getattr(os, "system")(...)
- pattern: __import__("os").system(...)
- pattern: getattr(__import__("os"), "system")(...)
- pattern: |
$X = __import__("os")
...
$X.system(...)
- pattern: |
$X = __import__("os")
...
getattr($X, "system")(...)
- pattern: |
$X = getattr(os, "system")
...
$X(...)
- pattern: |
$X = __import__("os")
...
$Y = getattr($X, "system")
...
$Y(...)
- pattern: os.popen(...)
- pattern: os.popen2(...)
- pattern: os.popen3(...)
- pattern: os.popen4(...)
message: Found dynamic content used in a system call. This is dangerous if
external data can reach this function call because it allows a malicious
actor to execute commands. Use the 'subprocess' module instead, which is
easier to use without accidentally exposing a command injection
vulnerability.
metadata:
source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html
cwe:
- "CWE-78: Improper Neutralization of Special Elements used in an OS
Command ('OS Command Injection')"
owasp:
- A01:2017 - Injection
- A03:2021 - Injection
references:
- https://semgrep.dev/docs/cheat-sheets/python-command-injection/
asvs:
section: "V5: Validation, Sanitization and Encoding Verification Requirements"
control_id: 5.2.4 Dyanmic Code Execution Features
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements
version: "4"
category: security
technology:
- python
confidence: LOW
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
languages:
- python
severity: ERROR
Examples
dangerous-system-call-audit.py
import os
# ok:dangerous-system-call-audit
os.system("ls -al")
# ok:dangerous-system-call-audit
os.popen("cat contents.txt")
from somewhere import something
# ruleid:dangerous-system-call-audit
os.system(something())
# ruleid:dangerous-system-call-audit
getattr(os, "system")(something())
# ruleid:dangerous-system-call-audit
dynamic_system_by_static_os = getattr(os, "system")
dynamic_system_by_static_os(something())
# ruleid:dangerous-system-call-audit
__import__("os").system(something())
# ruleid:dangerous-system-call-audit
getattr(__import__("os"), "system")(something())
# ruleid:dangerous-system-call-audit
dynamic_os = __import__("os")
dynamic_os.system(something())
# ruleid:dangerous-system-call-audit
dynamic_os = __import__("os")
getattr(dynamic_os, "system")(something())
# ruleid:dangerous-system-call-audit
dynamic_os = __import__("os")
dynamic_system = getattr(dynamic_os, "system")
dynamic_system(something())
# ruleid:dangerous-system-call-audit
os.popen(something())
# ruleid:dangerous-system-call-audit
os.popen2(something())
Short Link: https://sg.run/2WL0