Functions called with `shell=1` should be flagged

Bug #1650388 reported by David Wyde
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Bandit
New
Medium
Unassigned

Bug Description

The injection_shell plugins that look for shell=True (both in subprocess functions,
and in other functions) look for either the bool True or the string "True".
They might be able to detect more cases, like shell=1.

In the example below, the first two cases are flagged as HIGH, and the second
two are flagged as LOW. The case where shell=1 is not caught:

    import subprocess

    command = 'pwd'
    subprocess.call(command, shell=True)
    subprocess.call(command, shell='True')
    subprocess.call(command, shell=1)
    subprocess.call(command, shell=False)

If "shell" is set to anything other than a falsey constant, it
can be flagged. It may be possible to use bandit.core.constants.FALSE_VALUES,
without the string 'False'.

I think this is the real bug behind https://bugs.launchpad.net/bandit/+bug/1505389

Eric Brown (ericwb)
Changed in bandit:
importance: Undecided → Medium
assignee: nobody → Eric Brown (ericwb)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to bandit (master)

Fix proposed to branch: master
Review: https://review.openstack.org/412343

Changed in bandit:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on bandit (master)

Change abandoned by Gage Hugo (<email address hidden>) on branch: master
Review: https://review.openstack.org/412343
Reason: Abandoning to clear up some of the review queue and it's been about a year without any update.

We can restore the change if/when someone gets bandwidth to pick this back up.

Eric Brown (ericwb)
Changed in bandit:
assignee: Eric Brown (ericwb) → nobody
status: In Progress → New
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.