Bandit

No detection when passing keyword args to subprocess/shell functions

Bug #1650385 reported by David Wyde on 2016-12-15

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Bandit	New	Medium	Unassigned

Bug Description

Multiple plugins in bandit/plugins/injection_shell.py assume that a command will be passed in as a positional argument. When keyword arguments are used, the plugins don't even report that a call occurred.

The only issue that Bandit reports against the below Python 2 code is the import of "subprocess":

import commands
commands.getoutput(cmd='ls')

import os
os.popen2(mode='r', cmd='ls')

import subprocess
subprocess.Popen(args='ls', shell=True)

I think a solution for the shell injection plugins is to check for either args[0] *or* kwargs['cmd']/kwargs['args']/etc., depending on the function.

Note: this quirk only applies to Python-defined functions. Built-in functions, like os.system() on Python 2, won't accept keyword arguments.

Revision history for this message

Travis McPeak (travis-mcpeak) wrote on 2016-12-19:

Good catch!

Changed in bandit:
importance:	Undecided → Medium

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.