python.lang.security.audit.exec-detected.exec-detected
Community Favorite
semgrep
Author
48,183
Download Count*
License
Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.
Run Locally
Run in CI
Defintion
rules:
- id: exec-detected
patterns:
- pattern-not: exec("...")
- pattern: exec(...)
message: Detected the use of exec(). exec() can be dangerous if used to evaluate
dynamic content. If this content can be input from outside the program,
this may be a code injection vulnerability. Ensure evaluated content is
not definable by external sources.
metadata:
source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b102_exec_used.html
cwe:
- "CWE-95: Improper Neutralization of Directives in Dynamically
Evaluated Code ('Eval Injection')"
owasp:
- A03:2021 - Injection
asvs:
section: "V5: Validation, Sanitization and Encoding Verification Requirements"
control_id: 5.2.4 Dyanmic Code Execution Features
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements
version: "4"
category: security
technology:
- python
references:
- https://owasp.org/Top10/A03_2021-Injection
subcategory:
- audit
likelihood: LOW
impact: HIGH
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Code Injection
languages:
- python
severity: WARNING
Examples
exec-detected.py
# ok:exec-detected
exec("x = 1; x = x + 2")
blah = "import requests; r = requests.get('https://example.com')"
# ok:exec-detected
exec(blah)
dynamic = "import requests; r = requests.get('{}')"
# ruleid:exec-detected
exec(dynamic.format("https://example.com"))
def eval_something(something):
# ruleid:exec-detected
exec(something)
from something import exec
# ok:exec-detected
exec("something")
Short Link: https://sg.run/ndRX