Command coming from incoming request
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
ID: python-django/subprocess-from-request
Language: Python
Severity: Error
Category: Security
CWE: 20
Description
Execute a process using unsanitized and unvalidated user-inputs. The user data should be sanitized and validated before being used to launch a new process.
Learn More
Non-Compliant Code Examples
import subprocess
def execute_command(request):
cmd = request.GET.get("cmd")
print("foobar")
subprocess.run(cmd)
subprocess.call(cmd)
subprocess.capture_output(cmd)
subprocess.call(["bash", cmd])
bli = subprocess.run(cmd)
bla = subprocess.call(cmd)
ble = subprocess.capture_output(cmd)
blo = subprocess.call(["bash", cmd])
blip = subprocess.call("bash {0}".format(cmd))
blop = subprocess.call("bash " + cmd)
Compliant Code Examples
import subprocess
def execute_command(request):
cmd = request.GET.get("cmd")
print("foobar")
subprocess.run(shlex.escape(cmd))
