Command execution without sanitization

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: python-security/os-system

Language: Python

Severity: Error

Category: Security

CWE: 78

Description

Detect unsafe shell execution with the os module. We should ensure the command is safe before execution. Use shlex to sanitize user inputs.

Learn More

Non-Compliant Code Examples

os.system(f'mv {saved_file_path} {public_upload_file_path}')
command = f'convert "{temp_upload_file_path}" -resize 50% "{resized_image_path}"'
os.system(command)


command2 = f'convert "{temp_upload_file_path}" -resize 50% "{resized_image_path}"'
os.system(command4)
import os

directory = "/tmp"

# Use of unsanitized data to execute a process
os.system("/bin/ls")
os.system("/bin/ls " + directory)


os.system(f'mv {saved_file_path} {public_upload_file_path}')


def file_upload_api(request, app):
    file = request.files['file']

    if not _validate_file(file.filename):
        return {
            'message': 'Invalid file extension',
            'allowed_ext': ALLOWED_EXTENSIONS,
            'filename': file.filename
        }, 422

    saved_file_result = _save_temp_file(file, app)
    saved_file_path = saved_file_result['saved_path']

    file_name = Path(saved_file_path).name

    public_upload_file_path = os.path.join(app.config['PUBLIC_UPLOAD_FOLDER'], file_name)

    os.system(f'mv {saved_file_path} {public_upload_file_path}')

    return render_template('file_upload.html', file_url=f'{get_uploads_folder_url()}/{file_name}')

Compliant Code Examples

import os
import shlex

# Use of shlex() to sanitize data
os.system(shlex.escape("/bin/ls"))
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis