trailofbits.python.numpy-f2py-compile.numpy-f2py-compile
trailofbits
Author
unknown
Download Count*
License
Compiling arbitrary code can result in code execution. Ensure the source code is from a trusted location
Run Locally
Run in CI
Defintion
rules:
- id: numpy-f2py-compile
message: Compiling arbitrary code can result in code execution. Ensure the
source code is from a trusted location
languages:
- python
severity: ERROR
metadata:
category: security
cwe: "CWE-676: Use of Potentially Dangerous Function"
subcategory:
- audit
confidence: MEDIUM
likelihood: MEDIUM
impact: HIGH
technology:
- numpy
description: Potential arbitrary code execution from `NumPy` `f2py` compilation
references:
- https://numpy.org/doc/stable/f2py/usage.html
license: AGPL-3.0 license
vulnerability_class:
- Dangerous Method or Function
patterns:
- pattern: numpy.f2py.compile(...)
- pattern-not: numpy.f2py.compile("...", ...)
Examples
numpy-f2py-compile.py
from numpy import f2py
sourcecode = "test.exe"
# ok: numpy-f2py-compile
f2py.compile(sourcecode, modulename='add')
# ok: numpy-f2py-compile
f2py.compile("test2.exe", modulename='sub')
# ok: numpy-f2py-compile
f2py.get_include(sourcecode)
# ruleid: numpy-f2py-compile
f2py.compile(input(), modulename='sub')
# ok: numpy-f2py-compile
f2py.compile(sourcecode, modulename=input())
def test(param):
# ruleid: numpy-f2py-compile
return f2py.compile(param, modulename='mul')
Short Link: https://sg.run/bEdP