Potential shell injection with unescaped input.
Will inspect the arguments to a standard library function that starts a subshell, and check that it doesn't purely contain string literals, or input escaped from shlex.quote
Python has many ways to execute local commands, either as a process or using a shell.
Each of these could be vulnerable to injection techniques if the input is not escaped correctly.
os.systemos.popenos.popen2os.popen3os.popen4posix.systemposix.popen...popen2.popen2popen2.popen3popen2.popen4popen2.Popen3popen2.Popen4commands.getoututcommands.getstatusoutput
Note that many of these APIs are deprecated, but this check will work on older Python scripts.
import os
os.system("ls {0}".format(x)) # this is bad!Some APIs accept a list as the first argument, in which case that is inspected
import popen2
popen2.popen3(["ls", x])- String literals are ok
- Lists of string literals are ok
- Call expressions or reference expressions are treated as "unsafe" unless escaped
- PR100 : Subprocess check