Investigate possible vulnerabilities when using subprocess
in the framework/
directory
#10144
Labels
subprocess
in the framework/
directory
#10144
Description
With the test created in the issue wazuh/wazuh-qa#1615, some possible code flaws were found by Bandit.
In this issue we specify flaws regarding the use of subprocess calls in
framework/
.In total, we have 11 possible vulnerabilities with the use of subprocess.
The last 5 vulnerabilities are also due to the use of subprocess but the difference is that these possible flaws were just telling to consider the possible security implications of importing subprocess, instead of its usage.
Vulnerability when using subprocess:
Issue text: subprocess call - check for execution of untrusted input.
More info.: https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html
Vulnerability when importing subprocess:
Issue text: Consider possible security implications associated with subprocess module.
More info.: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess
We should investigate these results and see if they are real vulnerabilities.
Checks
wazuh/wazuh
framework/wazuh/core/cluster/tests/
&framework/wazuh/core/cluster/dapi/tests/
)framework/wazuh/core/tests/
)framework/wazuh/tests/
)framework/wazuh/rbac/tests/
)api/api/tests/
)api/test/integration/
):api/test/integration/mapping/integration_test_api_endpoints.json
)api/api/spec/spec.yaml
)framework/wazuh/core/exception.py
)CHANGELOG.md
)wazuh/wazuh-documentation
source/user-manual/api/equivalence.rst
)source/user-manual/api/rbac/reference.rst
)The text was updated successfully, but these errors were encountered: