No detection when passing keyword args to subprocess/shell functions
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Bandit |
New
|
Medium
|
Unassigned |
Bug Description
Multiple plugins in bandit/
The only issue that Bandit reports against the below Python 2 code is the import of "subprocess":
import commands
commands.
import os
os.
import subprocess
subprocess.
I think a solution for the shell injection plugins is to check for either args[0] *or* kwargs[
Note: this quirk only applies to Python-defined functions. Built-in functions, like os.system() on Python 2, won't accept keyword arguments.
Good catch!