trailofbits.python.numpy-f2py-compile.numpy-f2py-compile

trailofbits

Author

unknown

Download Count*

CC BY-NC-SA 4.0

License

Compiling arbitrary code can result in code execution. Ensure the source code is from a trusted location

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: numpy-f2py-compile
    message: Compiling arbitrary code can result in code execution. Ensure the
      source code is from a trusted location
    languages:
      - python
    severity: ERROR
    metadata:
      category: security
      cwe: "CWE-676: Use of Potentially Dangerous Function"
      subcategory:
        - audit
      confidence: MEDIUM
      likelihood: MEDIUM
      impact: HIGH
      technology:
        - numpy
      description: Potential arbitrary code execution from `NumPy` `f2py` compilation
      references:
        - https://numpy.org/doc/stable/f2py/usage.html
      license: AGPL-3.0 license
      vulnerability_class:
        - Dangerous Method or Function
    patterns:
      - pattern: numpy.f2py.compile(...)
      - pattern-not: numpy.f2py.compile("...", ...)

Examples

numpy-f2py-compile.py

from numpy import f2py

sourcecode = "test.exe"

# ok: numpy-f2py-compile
f2py.compile(sourcecode, modulename='add')

# ok: numpy-f2py-compile
f2py.compile("test2.exe", modulename='sub')

# ok: numpy-f2py-compile
f2py.get_include(sourcecode)

# ruleid: numpy-f2py-compile
f2py.compile(input(), modulename='sub')

# ok: numpy-f2py-compile
f2py.compile(sourcecode, modulename=input())

def test(param):
    # ruleid: numpy-f2py-compile
    return f2py.compile(param, modulename='mul')

Short Link: https://sg.run/bEdP