python.lang.security.audit.logging.listeneval.listen-eval
Verifed by r2c
Community Favorite
returntocorpAuthor
121,116
Download Count*
License
Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the verify() argument to listen() to prevent unrecognized configurations.
Run Locally
Run in CI
Defintion
rules:
- id: listen-eval
languages:
- python
message: Because portions of the logging configuration are passed through
eval(), use of this function may open its users to a security risk. While
the function only binds to a socket on localhost, and so does not accept
connections from remote machines, there are scenarios where untrusted code
could be run under the account of the process which calls listen(). To
avoid this happening, use the `verify()` argument to `listen()` to prevent
unrecognized configurations.
metadata:
cwe:
- "CWE-95: Improper Neutralization of Directives in Dynamically
Evaluated Code ('Eval Injection')"
owasp:
- A03:2021 - Injection
references:
- https://docs.python.org/3/library/logging.config.html?highlight=security#logging.config.listen
category: security
technology:
- python
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Code Injection
severity: WARNING
pattern: logging.config.listen(...)
Examples
listeneval.py
from logging.config import listen
PORT_NUMBER = 1234
def start_log():
# ruleid: listen-eval
t = listen(PORT_NUMBER)
t.start()
Short Link: https://sg.run/9okY