python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command
Community Favorite
semgrep
Author
48,183
Download Count*
License
Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context()' instead.
Run Locally
Run in CI
Defintion
rules:
- id: paramiko-exec-command
patterns:
- pattern-inside: |
$CLIENT = paramiko.client.SSHClient(...)
...
- pattern: $CLIENT.exec_command(...)
- pattern-not: $CLIENT.exec_command("...", ...)
message: Unverified SSL context detected. This will permit insecure connections
without verifying SSL certificates. Use 'ssl.create_default_context()'
instead.
metadata:
source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/plugins/injection_paramiko.py
owasp:
- A01:2017 - Injection
- A03:2021 - Injection
cwe:
- "CWE-78: Improper Neutralization of Special Elements used in an OS
Command ('OS Command Injection')"
references:
- http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.SSHClient.exec_command
- https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/plugins/injection_paramiko.py
category: security
technology:
- paramiko
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Command Injection
severity: ERROR
languages:
- python
Examples
paramiko-exec-command.py
# cf. https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/examples/paramiko_injection.py
import paramiko
from paramiko import client
client = paramiko.client.SSHClient()
client.connect("somehost")
# ok:paramiko-exec-command
client.exec_command("ls -r /")
# ruleid:paramiko-exec-command
client.exec_command(user_input)
client2 = client.SSHClient()
client2.connect("somehost")
# ok:paramiko-exec-command
client2.exec_command("ls -r /")
# ruleid:paramiko-exec-command
client2.exec_command(user_input)
Short Link: https://sg.run/kXQ7