-
-
Notifications
You must be signed in to change notification settings - Fork 582
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Functions called with shell=1
should be flagged
#157
Comments
Merged
@ericwb what do you think about the pull request? |
ericwb
pushed a commit
that referenced
this issue
Jun 14, 2018
- More example for shell kwarg - Related with #157
I think this could be closed @ericwb unless you have some objection about the test case. |
Fixed with PR #298 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The injection_shell plugins that look for shell=True (both in subprocess functions,
and in other functions) look for either the bool True or the string "True".
They might be able to detect more cases, like shell=1.
In the example below, the first two cases are flagged as HIGH, and the second
two are flagged as LOW. The case where shell=1 is not caught:
If "shell" is set to anything other than a falsey constant, it
can be flagged. It may be possible to use bandit.core.constants.FALSE_VALUES,
without the string 'False'.
I think this is the real bug behind https://bugs.launchpad.net/bandit/+bug/1505389
The text was updated successfully, but these errors were encountered: