python.lang.security.audit.system-wildcard-detected.system-wildcard-detected
Community Favorite
semgrep
Author
48,183
Download Count*
License
Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named '-e sh script.sh' -- this will execute a script when 'rsync' is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information.
Run Locally
Run in CI
Defintion
rules:
- id: system-wildcard-detected
patterns:
- pattern-either:
- pattern-inside: os.system("...")
- pattern-inside: os.popen("...")
- pattern-inside: os.popen2("...")
- pattern-inside: os.popen3("...")
- pattern-inside: os.popen4("...")
- pattern-inside: subprocess.$W(..., shell=True, ...)
- pattern-regex: (tar|chmod|chown|rsync)(.*?)\*
message: Detected use of the wildcard character in a system call that spawns a
shell. This subjects the wildcard to normal shell expansion, which can
have unintended consequences if there exist any non-standard file names.
Consider a file named '-e sh script.sh' -- this will execute a script when
'rsync' is called. See
https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt
for more information.
metadata:
cwe:
- "CWE-155: Improper Neutralization of Wildcards or Matching Symbols"
owasp: A01:2017 - Injection
source-url-open: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/injection_wildcard.py
references:
- https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt
category: security
technology:
- python
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Other
languages:
- python
severity: WARNING
Examples
system-wildcard-detected.py
# cf. https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/injection_wildcard.py
import os as o
import subprocess as subp
# Vulnerable to wildcard injection
# ruleid:system-wildcard-detected
o.system("/bin/tar xvzf *")
# ruleid:system-wildcard-detected
o.system('/bin/chown *')
# ruleid:system-wildcard-detected
o.popen2('/bin/chmod *')
# ruleid:system-wildcard-detected
subp.Popen('/bin/chown *', shell=True)
# Not vulnerable to wildcard injection
# ok:system-wildcard-detected
subp.Popen('/bin/rsync *')
# ok:system-wildcard-detected
subp.Popen("/bin/chmod *")
# ok:system-wildcard-detected
subp.Popen(['/bin/chown', '*'])
# ok:system-wildcard-detected
subp.Popen(["/bin/chmod", sys.argv[1], "*"],
stdin=subprocess.PIPE, stdout=subprocess.PIPE)
# ok:system-wildcard-detected
o.spawnvp(os.P_WAIT, 'tar', ['tar', 'xvzf', '*'])
Short Link: https://sg.run/5QXA