Pattern: Possible wildcard injection
Issue: -
Python provides a number of methods that emulate the behavior of standard
Linux command line utilities. Like their Linux counterparts, these commands
may take a wildcard *
character in place of a file system path. This is
interpreted to mean "any and all files or folders" and can be used to build
partially qualified paths, such as /home/user/*
.
The use of partially qualified paths may result in unintended consequences if an unexpected file or symlink is placed into the path location given. This becomes particularly dangerous when combined with commands used to manipulate file permissions or copy data off of a system.
This rule looks for usage of the following commands in conjunction with wild card parameters:
chown
chmod
tar
rsync
As well as any method configured in the shell or subprocess injection test configurations.
Example of insecure code:
import os as o
import subprocess as subp
o.popen2('/bin/chmod *')
Example of secure code:
import os as o
import subprocess as subp
subp.Popen(['/bin/chown', '*'])