python.lang.security.audit.dangerous-testcapi-run-in-subinterp.dangerous-testcapi-run-in-subinterp

profile photo of returntocorpreturntocorp
Author
1,200
Download Count*

Found dynamic content in run_in_subinterp. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code. Ensure no external data reaches here.

Run Locally

Run in CI

Defintion

rules:
  - id: dangerous-testcapi-run-in-subinterp
    patterns:
      - pattern-either:
          - pattern: |
              _testcapi.run_in_subinterp($PAYLOAD, ...)
          - pattern: |
              test.support.run_in_subinterp($PAYLOAD, ...)
      - pattern-not: |
          _testcapi.run_in_subinterp("...", ...)
      - pattern-not: |
          test.support.run_in_subinterp("...", ...)
    message: Found dynamic content in `run_in_subinterp`. This is dangerous if
      external data can reach this function call because it allows a malicious
      actor to run arbitrary Python code. Ensure no external data reaches here.
    metadata:
      cwe: "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated
        Code ('Eval Injection')"
      owasp: "A1: Injection"
      category: security
      technology:
        - python
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    severity: WARNING
    languages:
      - python

Examples

dangerous-testcapi-run-in-subinterp.py

import _testcapi
from test import support

def run_payload1(payload: str) -> None:
    # ruleid: dangerous-testcapi-run-in-subinterp
    _testcapi.run_in_subinterp(payload)

def run_payload2(payload: str) -> None:
    # ruleid: dangerous-testcapi-run-in-subinterp
    support.run_in_subinterp(payload)

def okTest(payload: str) -> None:
    # ok: dangerous-testcapi-run-in-subinterp
    _testcapi.run_in_subinterp("print('Hello world')")