Functions called with shell=1 should be flagged
#157
Comments
Merged
|
@ericwb what do you think about the pull request? |
ericwb
pushed a commit
that referenced
this issue
Jun 14, 2018
- More example for shell kwarg - Related with #157
|
I think this could be closed @ericwb unless you have some objection about the test case. |
|
Fixed with PR #298 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The injection_shell plugins that look for shell=True (both in subprocess functions,
and in other functions) look for either the bool True or the string "True".
They might be able to detect more cases, like shell=1.
In the example below, the first two cases are flagged as HIGH, and the second
two are flagged as LOW. The case where shell=1 is not caught:
If "shell" is set to anything other than a falsey constant, it
can be flagged. It may be possible to use bandit.core.constants.FALSE_VALUES,
without the string 'False'.
I think this is the real bug behind https://bugs.launchpad.net/bandit/+bug/1505389
The text was updated successfully, but these errors were encountered: