2020-06-30 12:49:37 +02:00
|
|
|
include::../description.adoc[]
|
|
|
|
|
|
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
|
|
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
|
|
|
|
|
|
== Sensitive Code Example
|
|
|
|
|
|
|
|
|
|
Python 3
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2020-06-30 12:49:37 +02:00
|
|
|
----
|
|
|
|
|
subprocess.run(cmd, shell=True) # Sensitive
|
|
|
|
|
subprocess.Popen(cmd, shell=True) # Sensitive
|
|
|
|
|
subprocess.call(cmd, shell=True) # Sensitive
|
|
|
|
|
subprocess.check_call(cmd, shell=True) # Sensitive
|
|
|
|
|
subprocess.check_output(cmd, shell=True) # Sensitive
|
|
|
|
|
os.system(cmd) # Sensitive: a shell is always spawn
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
Python 2
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2020-06-30 12:49:37 +02:00
|
|
|
----
|
|
|
|
|
cmd = "when a string is passed through these function, a shell is spawn"
|
|
|
|
|
(_, child_stdout, _) = os.popen2(cmd) # Sensitive
|
|
|
|
|
(_, child_stdout, _) = os.popen3(cmd) # Sensitive
|
|
|
|
|
(_, child_stdout) = os.popen4(cmd) # Sensitive
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(child_stdout, _) = popen2.popen2(cmd) # Sensitive
|
|
|
|
|
(child_stdout, _, _) = popen2.popen3(cmd) # Sensitive
|
|
|
|
|
(child_stdout, _) = popen2.popen4(cmd) # Sensitive
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
== Compliant Solution
|
|
|
|
|
|
|
|
|
|
Python 3
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2020-06-30 12:49:37 +02:00
|
|
|
----
|
|
|
|
|
# by default shell=False, a shell is not spawn
|
|
|
|
|
subprocess.run(cmd) # Compliant
|
|
|
|
|
subprocess.Popen(cmd) # Compliant
|
|
|
|
|
subprocess.call(cmd) # Compliant
|
|
|
|
|
subprocess.check_call(cmd) # Compliant
|
|
|
|
|
subprocess.check_output(cmd) # Compliant
|
|
|
|
|
|
|
|
|
|
# always in a subprocess:
|
|
|
|
|
os.spawnl(mode, path, *cmd) # Compliant
|
|
|
|
|
os.spawnle(mode, path, *cmd, env) # Compliant
|
|
|
|
|
os.spawnlp(mode, file, *cmd) # Compliant
|
|
|
|
|
os.spawnlpe(mode, file, *cmd, env) # Compliant
|
|
|
|
|
os.spawnv(mode, path, cmd) # Compliant
|
|
|
|
|
os.spawnve(mode, path, cmd, env) # Compliant
|
|
|
|
|
os.spawnvp(mode, file, cmd) # Compliant
|
|
|
|
|
os.spawnvpe(mode, file, cmd, env) # Compliant
|
|
|
|
|
|
|
|
|
|
(child_stdout) = os.popen(cmd, mode, 1) # Compliant
|
|
|
|
|
(_, output) = subprocess.getstatusoutput(cmd) # Compliant
|
|
|
|
|
out = subprocess.getoutput(cmd) # Compliant
|
|
|
|
|
os.startfile(path) # Compliant
|
|
|
|
|
os.execl(path, *cmd) # Compliant
|
|
|
|
|
os.execle(path, *cmd, env) # Compliant
|
|
|
|
|
os.execlp(file, *cmd) # Compliant
|
|
|
|
|
os.execlpe(file, *cmd, env) # Compliant
|
|
|
|
|
os.execv(path, cmd) # Compliant
|
|
|
|
|
os.execve(path, cmd, env) # Compliant
|
|
|
|
|
os.execvp(file, cmd) # Compliant
|
|
|
|
|
os.execvpe(file, cmd, env) # Compliant
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
Python 2
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2020-06-30 12:49:37 +02:00
|
|
|
----
|
|
|
|
|
cmdsargs = ("use", "a", "sequence", "to", "directly", "start", "a", "subprocess")
|
|
|
|
|
|
|
|
|
|
(_, child_stdout) = os.popen2(cmdsargs) # Compliant
|
|
|
|
|
(_, child_stdout, _) = os.popen3(cmdsargs) # Compliant
|
|
|
|
|
(_, child_stdout) = os.popen4(cmdsargs) # Compliant
|
|
|
|
|
|
|
|
|
|
(child_stdout, _) = popen2.popen2(cmdsargs) # Compliant
|
|
|
|
|
(child_stdout, _, _) = popen2.popen3(cmdsargs) # Compliant
|
|
|
|
|
(child_stdout, _) = popen2.popen4(cmdsargs) # Compliant
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
include::../see.adoc[]
|
