python.lang.security.audit.logging.listeneval.listen-eval

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
121,116
Download Count*

Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the verify() argument to listen() to prevent unrecognized configurations.

Run Locally

Run in CI

Defintion

rules:
  - id: listen-eval
    languages:
      - python
    message: Because portions of the logging configuration are passed through
      eval(), use of this function may open its users to a security risk. While
      the function only binds to a socket on localhost, and so does not accept
      connections from remote machines, there are scenarios where untrusted code
      could be run under the account of the process which calls listen(). To
      avoid this happening, use the `verify()` argument to `listen()` to prevent
      unrecognized configurations.
    metadata:
      cwe:
        - "CWE-95: Improper Neutralization of Directives in Dynamically
          Evaluated Code ('Eval Injection')"
      owasp:
        - A03:2021 - Injection
      references:
        - https://docs.python.org/3/library/logging.config.html?highlight=security#logging.config.listen
      category: security
      technology:
        - python
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    severity: WARNING
    pattern: logging.config.listen(...)

Examples

listeneval.py

from logging.config import listen

PORT_NUMBER = 1234

def start_log():
    # ruleid: listen-eval
    t = listen(PORT_NUMBER)
    t.start()