python.lang.security.audit.dangerous-system-call-audit.dangerous-system-call-audit

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Found dynamic content used in a system call. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Use the 'subprocess' module instead, which is easier to use without accidentally exposing a command injection vulnerability.

Run Locally

Run in CI

Defintion

rules:
  - id: dangerous-system-call-audit
    patterns:
      - pattern-not: os.$W("...", ...)
      - pattern-either:
          - pattern: os.system(...)
          - pattern: getattr(os, "system")(...)
          - pattern: __import__("os").system(...)
          - pattern: getattr(__import__("os"), "system")(...)
          - pattern: |
              $X = __import__("os")
              ...
              $X.system(...)
          - pattern: |
              $X = __import__("os")
              ...
              getattr($X, "system")(...)
          - pattern: |
              $X = getattr(os, "system")
              ...
              $X(...)
          - pattern: |
              $X = __import__("os")
              ...
              $Y = getattr($X, "system")
              ...
              $Y(...)
          - pattern: os.popen(...)
          - pattern: os.popen2(...)
          - pattern: os.popen3(...)
          - pattern: os.popen4(...)
    message: Found dynamic content used in a system call. This is dangerous if
      external data can reach this function call because it allows a malicious
      actor to execute commands. Use the 'subprocess' module instead, which is
      easier to use without accidentally exposing a command injection
      vulnerability.
    metadata:
      source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html
      cwe:
        - "CWE-78: Improper Neutralization of Special Elements used in an OS
          Command ('OS Command Injection')"
      owasp:
        - A01:2017 - Injection
        - A03:2021 - Injection
      references:
        - https://semgrep.dev/docs/cheat-sheets/python-command-injection/
      asvs:
        section: "V5: Validation, Sanitization and Encoding Verification Requirements"
        control_id: 5.2.4 Dyanmic Code Execution Features
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements
        version: "4"
      category: security
      technology:
        - python
      confidence: LOW
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Command Injection
    languages:
      - python
    severity: ERROR

Examples

dangerous-system-call-audit.py

import os

# ok:dangerous-system-call-audit
os.system("ls -al")

# ok:dangerous-system-call-audit
os.popen("cat contents.txt")

from somewhere import something

# ruleid:dangerous-system-call-audit
os.system(something())

# ruleid:dangerous-system-call-audit
getattr(os, "system")(something())

# ruleid:dangerous-system-call-audit
dynamic_system_by_static_os = getattr(os, "system")
dynamic_system_by_static_os(something())

# ruleid:dangerous-system-call-audit
__import__("os").system(something())

# ruleid:dangerous-system-call-audit
getattr(__import__("os"), "system")(something())

# ruleid:dangerous-system-call-audit
dynamic_os = __import__("os")
dynamic_os.system(something())

# ruleid:dangerous-system-call-audit
dynamic_os = __import__("os")
getattr(dynamic_os, "system")(something())

# ruleid:dangerous-system-call-audit
dynamic_os = __import__("os")
dynamic_system = getattr(dynamic_os, "system")
dynamic_system(something())

# ruleid:dangerous-system-call-audit
os.popen(something())

# ruleid:dangerous-system-call-audit
os.popen2(something())