Insecure Use of Dangerous Function

This vulnerability category covers the following issues:

Command Injection

Why is this important?

Python, like any other programming language, has dangerous functions. If these functions are not used properly, it can have a catastrophic impact on your app. Python offers several ways to execute operating system commands, such as:

  • exec
  • eval
  • urllib_urlopen
  • paramiko.exec_command()
  • SSHClient.invoke_shell()
  • subprocess modules and related wrappers

Attacker controlled input, that is processed by any of these functions, can lead to attackers getting full access to your production environment.

Check out this video for a high-level explanation:

OS Command Injection

Read below to find out how to fix this issue in your code.

Fixing Insecure Use of Dangerous Function

At least three options are available:

  1. Remove the dangerous function completely
  2. Escape the user input in the dangerous function. For example with ShellEscape
  3. Leverage a white-listed set of allowed parameters

More information: