org.sonar.l10n.py.rules.python.S4721.html Maven / Gradle / Ivy
Arbitrary OS commands can be executed by an attacker when:
- The OS command name to execute is user-controlled.
- A shell is spawn rather than a new process, in this case shell meta-chars can be used (when parameters are user-controlled for instance) to
inject OS commands.
- The executable is searched in the directories specified by the PATH variable (which can contain user-controlled or malicious directories).
Ask Yourself Whether
- OS command name or parameters are user-controlled.
- The relative path of the OS command is specified.
- OS commands are not executed in an isolated/sandboxed environment.
- OS command are executed with high privileges.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
- User-controlled inputs should not be used, for any reasons, to build a dynamically OS command (command name or even parameters when shell is
used).
- Fully qualified/absolute path should be used to specify the OS command to execute.
- If possible, set the lowest privileges to the new process/shell in which commands are executed.
- If possible, execute the OS commands in an isolated environment.
Sensitive Code Example
Python 3
subprocess.run(cmd, shell=True) # Sensitive
subprocess.Popen(cmd, shell=True) # Sensitive
subprocess.call(cmd, shell=True) # Sensitive
subprocess.check_call(cmd, shell=True) # Sensitive
subprocess.check_output(cmd, shell=True) # Sensitive
os.system(cmd) # Sensitive: a shell is always spawn
Python 2
cmd = "when a string is passed through these function, a shell is spawn"
(_, child_stdout, _) = os.popen2(cmd) # Sensitive
(_, child_stdout, _) = os.popen3(cmd) # Sensitive
(_, child_stdout) = os.popen4(cmd) # Sensitive
(child_stdout, _) = popen2.popen2(cmd) # Sensitive
(child_stdout, _, _) = popen2.popen3(cmd) # Sensitive
(child_stdout, _) = popen2.popen4(cmd) # Sensitive
Compliant Solution
Python 3
# by default shell=False, a shell is not spawn
subprocess.run(cmd) # Compliant
subprocess.Popen(cmd) # Compliant
subprocess.call(cmd) # Compliant
subprocess.check_call(cmd) # Compliant
subprocess.check_output(cmd) # Compliant
# always in a subprocess:
os.spawnl(mode, path, *cmd) # Compliant
os.spawnle(mode, path, *cmd, env) # Compliant
os.spawnlp(mode, file, *cmd) # Compliant
os.spawnlpe(mode, file, *cmd, env) # Compliant
os.spawnv(mode, path, cmd) # Compliant
os.spawnve(mode, path, cmd, env) # Compliant
os.spawnvp(mode, file, cmd) # Compliant
os.spawnvpe(mode, file, cmd, env) # Compliant
(child_stdout) = os.popen(cmd, mode, 1) # Compliant
(_, output) = subprocess.getstatusoutput(cmd) # Compliant
out = subprocess.getoutput(cmd) # Compliant
os.startfile(path) # Compliant
os.execl(path, *cmd) # Compliant
os.execle(path, *cmd, env) # Compliant
os.execlp(file, *cmd) # Compliant
os.execlpe(file, *cmd, env) # Compliant
os.execv(path, cmd) # Compliant
os.execve(path, cmd, env) # Compliant
os.execvp(file, cmd) # Compliant
os.execvpe(file, cmd, env) # Compliant
Python 2
cmdsargs = ("use", "a", "sequence", "to", "directly", "start", "a", "subprocess")
(_, child_stdout) = os.popen2(cmdsargs) # Compliant
(_, child_stdout, _) = os.popen3(cmdsargs) # Compliant
(_, child_stdout) = os.popen4(cmdsargs) # Compliant
(child_stdout, _) = popen2.popen2(cmdsargs) # Compliant
(child_stdout, _, _) = popen2.popen3(cmdsargs) # Compliant
(child_stdout, _) = popen2.popen4(cmdsargs) # Compliant
See
- OWASP Top 10 2017 Category A1 - Injection
- MITRE, CWE-78 - Improper Neutralization of Special Elements used in an OS Command
- SANS Top 25 - Insecure Interaction Between Components
Deprecated
This rule is deprecated, and will eventually be removed.
© 2015 - 2025 Weber Informatics LLC | Privacy Policy