No detection when passing keyword args to subprocess/shell functions

[ericwb]

Multiple plugins in bandit/plugins/injection_shell.py assume that a command will be passed in as a positional argument. When keyword arguments are used, the plugins don't even report that a call occurred.

The only issue that Bandit reports against the below Python 2 code is the import of "subprocess":

import commands
commands.getoutput(cmd='ls')

import os
os.popen2(mode='r', cmd='ls')

import subprocess
subprocess.Popen(args='ls', shell=True)

I think a solution for the shell injection plugins is to check for either args[0] or kwargs['cmd']/kwargs['args']/etc., depending on the function.

Note: this quirk only applies to Python-defined functions. Built-in functions, like os.system() on Python 2, won't accept keyword arguments.

[tleeuwenburg]

Can I just clarify the requirements a little here? It looks like there are a few issues you are bringing up and I want to make sure I understand them.

Firstly, the import statements for the commands and os modules don't raise any reports. Like with subprocess, they should perhaps raise a low severity import warning.

Secondly, the subprocess reports don't fire properly when keyword arguments are used, and that's an issue.

Thirdly, the commands and popen2 reports also don't fire correctly.

I'll try to iterate on some of those problems and contribute some more requests.