Functions called with `shell=1` should be flagged
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Bandit |
New
|
Medium
|
Unassigned |
Bug Description
The injection_shell plugins that look for shell=True (both in subprocess functions,
and in other functions) look for either the bool True or the string "True".
They might be able to detect more cases, like shell=1.
In the example below, the first two cases are flagged as HIGH, and the second
two are flagged as LOW. The case where shell=1 is not caught:
import subprocess
command = 'pwd'
subprocess.
subprocess.
subprocess.
subprocess.
If "shell" is set to anything other than a falsey constant, it
can be flagged. It may be possible to use bandit.
without the string 'False'.
I think this is the real bug behind https:/
Changed in bandit: | |
importance: | Undecided → Medium |
assignee: | nobody → Eric Brown (ericwb) |
Changed in bandit: | |
assignee: | Eric Brown (ericwb) → nobody |
status: | In Progress → New |
Fix proposed to branch: master /review. openstack. org/412343
Review: https:/