B604.md

Pattern: Function call with shell=True

Issue: -

Description

This rule interrogates method calls for the presence of a keyword parameter shell equaling true. It is related to detection of shell injection issues and is intended to catch custom wrappers to vulnerable methods that may have been created.

Example of insecure code:

def Popen(*args, **kwargs):
    print('hi')

Popen('/bin/gcc --version', shell=True)

Example of secure code:

def Popen(*args, **kwargs):
    print('hi')

Popen('/bin/gcc --version', shell=False)

Further Reading

• The Python Standard Library - subprocess - Frequently Used Arguments
• Bandit - B604: any_other_function_with_shell_equals_true