Insecure Use of Dangerous Function
This vulnerability category covers the following issues:
Command Injection
Why is this important?
Python, like any other programming language, has dangerous functions. If these functions are not used properly, it can have a catastrophic impact on your app. Python offers several ways to execute operating system commands, such as:
exec
eval
urllib_urlopen
paramiko.exec_command()
SSHClient.invoke_shell()
subprocess
modules and related wrappers
Attacker controlled input, that is processed by any of these functions, can lead to attackers getting full access to your production environment.
Check out this video for a high-level explanation:
Read below to find out how to fix this issue in your code.
Fixing Insecure Use of Dangerous Function
At least three options are available:
- Remove the dangerous function completely
- Escape the user input in the dangerous function. For example with ShellEscape
- Leverage a white-listed set of allowed parameters