python.lang.security.dangerous-system-call.dangerous-system-call
semgrepAuthor
unknown
Download Count*
License
Found user-controlled data used in a system call. This could allow a malicious actor to execute commands. Use the 'subprocess' module instead, which is easier to use without accidentally exposing a command injection vulnerability.
Run Locally
Run in CI
Defintion
rules:
- id: dangerous-system-call
mode: taint
options:
symbolic_propagation: true
pattern-sources:
- patterns:
- pattern-either:
- patterns:
- pattern-either:
- pattern: flask.request.form.get(...)
- pattern: flask.request.form[...]
- pattern: flask.request.args.get(...)
- pattern: flask.request.args[...]
- pattern: flask.request.values.get(...)
- pattern: flask.request.values[...]
- pattern: flask.request.cookies.get(...)
- pattern: flask.request.cookies[...]
- pattern: flask.request.stream
- pattern: flask.request.headers.get(...)
- pattern: flask.request.headers[...]
- pattern: flask.request.data
- pattern: flask.request.full_path
- pattern: flask.request.url
- pattern: flask.request.json
- pattern: flask.request.get_json()
- pattern: flask.request.view_args.get(...)
- pattern: flask.request.view_args[...]
- patterns:
- pattern-inside: |
@$APP.route(...)
def $FUNC(..., $ROUTEVAR, ...):
...
- focus-metavariable: $ROUTEVAR
- patterns:
- pattern-inside: |
def $FUNC(request, ...):
...
- pattern-either:
- pattern: request.$PROPERTY.get(...)
- pattern: request.$PROPERTY[...]
- patterns:
- pattern-either:
- pattern-inside: |
@rest_framework.decorators.api_view(...)
def $FUNC($REQ, ...):
...
- patterns:
- pattern-either:
- pattern-inside: >
class $VIEW(..., rest_framework.views.APIView,
...):
...
- pattern-inside: >
class $VIEW(...,
rest_framework.generics.GenericAPIView, ...):
...
- pattern-inside: |
def $METHOD(self, $REQ, ...):
...
- metavariable-regex:
metavariable: $METHOD
regex: (get|post|put|patch|delete|head)
- pattern-either:
- pattern: $REQ.POST.get(...)
- pattern: $REQ.POST[...]
- pattern: $REQ.FILES.get(...)
- pattern: $REQ.FILES[...]
- pattern: $REQ.DATA.get(...)
- pattern: $REQ.DATA[...]
- pattern: $REQ.QUERY_PARAMS.get(...)
- pattern: $REQ.QUERY_PARAMS[...]
- pattern: $REQ.data.get(...)
- pattern: $REQ.data[...]
- pattern: $REQ.query_params.get(...)
- pattern: $REQ.query_params[...]
- pattern: $REQ.content_type
- pattern: $REQ.content_type
- pattern: $REQ.stream
- pattern: $REQ.stream
- patterns:
- pattern-either:
- pattern-inside: >
class $SERVER(..., http.server.BaseHTTPRequestHandler,
...):
...
- pattern-inside: >
class $SERVER(..., http.server.StreamRequestHandler,
...):
...
- pattern-inside: >
class $SERVER(..., http.server.DatagramRequestHandler,
...):
...
- pattern-either:
- pattern: self.requestline
- pattern: self.path
- pattern: self.headers[...]
- pattern: self.headers.get(...)
- pattern: self.rfile
- patterns:
- pattern-inside: |
@pyramid.view.view_config( ... )
def $VIEW($REQ):
...
- pattern: $REQ.$ANYTHING
- pattern-not: $REQ.dbsession
pattern-sinks:
- patterns:
- pattern-not: os.$W("...", ...)
- pattern-either:
- pattern: os.system(...)
- pattern: getattr(os, "system")(...)
- pattern: __import__("os").system(...)
- pattern: getattr(__import__("os"), "system")(...)
- pattern: |
$X = __import__("os")
...
$X.system(...)
- pattern: |
$X = __import__("os")
...
getattr($X, "system")(...)
- pattern: |
$X = getattr(os, "system")
...
$X(...)
- pattern: |
$X = __import__("os")
...
$Y = getattr($X, "system")
...
$Y(...)
- pattern: os.popen(...)
- pattern: os.popen2(...)
- pattern: os.popen3(...)
- pattern: os.popen4(...)
message: Found user-controlled data used in a system call. This could allow a
malicious actor to execute commands. Use the 'subprocess' module instead,
which is easier to use without accidentally exposing a command injection
vulnerability.
metadata:
source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html
cwe:
- "CWE-78: Improper Neutralization of Special Elements used in an OS
Command ('OS Command Injection')"
owasp:
- A01:2017 - Injection
- A03:2021 - Injection
references:
- https://semgrep.dev/docs/cheat-sheets/python-command-injection/
asvs:
section: "V5: Validation, Sanitization and Encoding Verification Requirements"
control_id: 5.2.4 Dyanmic Code Execution Features
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements
version: "4"
category: security
technology:
- python
confidence: MEDIUM
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: HIGH
impact: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Command Injection
languages:
- python
severity: ERROR
Examples
dangerous-system-call.py
import os
# ok:dangerous-system-call
os.system("ls -al")
# ok:dangerous-system-call
os.popen("cat contents.txt")
from somewhere import something
# fn:dangerous-system-call
os.system(something())
# fn:dangerous-system-call
os.popen(something())
# fn:dangerous-system-call
os.popen2(something())
# Flask true positives
import flask
app = flask.Flask(__name__)
@app.route("/route_param/<route_param>")
def route_param(route_param):
# ruleid:dangerous-system-call
os.system("prefix" + route_param + "suffix")
# ruleid:dangerous-system-call
os.popen("prefix" + route_param + "suffix")
# ruleid:dangerous-system-call
os.popen2("prefix" + route_param + "suffix")
# ruleid:dangerous-system-call
getattr(os, "system")("prefix" + route_param + "suffix")
return "oops!"
# Flask true negatives
@app.route("/route_param/<route_param>")
def route_param2(route_param):
# ok:dangerous-system-call
os.system("static")
# ok:dangerous-system-call
os.popen("static")
# ok:dangerous-system-call
os.popen2("static")
return "ok!"
# Django true positives
from django.http import HttpResponse
def get_user_age1(request):
user_data = request.POST.get("user_data")
# ruleid:dangerous-system-call
os.system("prefix" + user_data + "suffix")
# ruleid:dangerous-system-call
os.popen("prefix" + user_data + "suffix")
# ruleid:dangerous-system-call
os.popen2("prefix" + user_data + "suffix")
return HttpResponse("oops!")
# Django true negatives
def get_user_age2(request):
# ok:dangerous-system-call
os.system("static")
# ok:dangerous-system-call
os.popen("static")
# ok:dangerous-system-call
os.popen2("static")
return HttpResponse("ok!")
# Django Rest true positives
from rest_framework.decorators import api_view
from rest_framework.response import Response
@api_view(["GET", "POST"])
def my_api(req):
user_data = req.POST.get("user_data")
# ruleid:dangerous-system-call
os.system("prefix" + user_data + "suffix")
# ruleid:dangerous-system-call
os.popen("prefix" + user_data + "suffix")
# ruleid:dangerous-system-call
os.popen2("prefix" + user_data + "suffix")
return Response()
from django.http import Http404
from rest_framework.views import APIView
from rest_framework import status
class MyApi(APIView):
def get(self, req, format=None):
user_data = req.POST.get("user_data")
# ruleid:dangerous-system-call
os.system("prefix" + user_data + "suffix")
# ruleid:dangerous-system-call
os.popen("prefix" + user_data + "suffix")
# ruleid:dangerous-system-call
os.popen2("prefix" + user_data + "suffix")
return Response()
def post(self, req, format=None):
user_data = req.POST.get("user_data")
# ruleid:dangerous-system-call
os.system("prefix" + user_data + "suffix")
# ruleid:dangerous-system-call
os.popen("prefix" + user_data + "suffix")
# ruleid:dangerous-system-call
os.popen2("prefix" + user_data + "suffix")
return Response()
from rest_framework import mixins
from rest_framework import generics
class MyApi2(mixins.ListModelMixin, mixins.CreateModelMixin, generics.GenericAPIView):
def get(self, req, format=None):
user_data = req.POST.get("user_data")
# ruleid:dangerous-system-call
os.system("prefix" + user_data + "suffix")
# ruleid:dangerous-system-call
os.popen("prefix" + user_data + "suffix")
# ruleid:dangerous-system-call
os.popen2("prefix" + user_data + "suffix")
return Response()
def post(self, req, format=None):
user_data = req.POST.get("user_data")
# ruleid:dangerous-system-call
os.system("prefix" + user_data + "suffix")
# ruleid:dangerous-system-call
os.popen("prefix" + user_data + "suffix")
# ruleid:dangerous-system-call
os.popen2("prefix" + user_data + "suffix")
return Response()
# Pyramid true positives
from pyramid.view import view_config
from pyramid.request import Response
@view_config(
route_name="bad_route", renderer="pyramid_test_mako:templates/mytemplate.mako"
)
def my_bad_view1(request):
param = request.params.get("p", "")
# ruleid:dangerous-system-call
os.system("prefix" + param + "suffix")
# ruleid:dangerous-system-call
os.popen("prefix" + param + "suffix")
# ruleid:dangerous-system-call
os.popen2("prefix" + param + "suffix")
return Response("oops!")
@view_config(
route_name="good_route", renderer="pyramid_test_mako:templates/mytemplate.mako"
)
def my_good_view1(request):
# ok:dangerous-system-call
os.system("static")
# ok:dangerous-system-call
os.popen("static")
# ok:dangerous-system-call
os.popen2("static")
return Response("ok!")
Short Link: https://sg.run/k0W7