Insecure Use of Dangerous Function

This vulnerability category covers the following issues:

Command Injection

Command Injection

Why is this important?

Python, like any other programming language, has dangerous functions. If these functions are not used properly, it can have a catastrophic impact on your app. Python offers several ways to execute operating system commands, such as:

exec
eval
urllib_urlopen
paramiko.exec_command()
SSHClient.invoke_shell()
subprocess modules and related wrappers

Attacker controlled input, that is processed by any of these functions, can lead to attackers getting full access to your production environment.

Check out this video for a high-level explanation:

Read below to find out how to fix this issue in your code.

Fixing Insecure Use of Dangerous Function

At least three options are available:

Remove the dangerous function completely
Escape the user input in the dangerous function. For example with ShellEscape
Leverage a white-listed set of allowed parameters

More information:

Common Weakness Enumeration (CWE-78)
Common Weakness Enumeration (CWE-95)
OWASP Top 10 - A1 Injection

GuardRails

General

C/C++

Elixir

Go

Java

Javascript/TypeScript

Kubernetes

PHP

Python

Ruby

Rust

Solidity

Terraform

Insecure Use of Dangerous Function

Command Injection

Why is this important?

Fixing Insecure Use of Dangerous Function

More information: