shell argument leads to unnecessary privileges
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
ID: python-security/subprocess-shell-true
Language: Python
Severity: Warning
Category: Security
CWE: 78
Description
Never invoke subprocess.Popen
with shell = True
leads to unnecessary privileges and access to the underlying execution runtime. Execution with shell = True
should clearly be verified and checked for code in production.
Learn More
- CWE-250 - Execution with Unnecessary Privileges
- CWE-657 - Violation of Secure Design Principles
Non-Compliant Code Examples
import subprocess
def find_dogweb_packages():
# setuptools.find_packages is too slow since it walks the entire codebase, including Javascript code.
# This is an equivalent but optimized function, specific to our codebase, listing all the available
# packages.
# Look for __init__.py files using fast UNIX tools
r = subprocess.Popen(
"find %s -name '__init__.py'" % " ".join(MODULE_PATHS), shell=True, stdout=subprocess.PIPE
).stdout.read()
from subprocess import Popen
Popen('/bin/ls %s' % ('something',), shell=True)
import subprocess
subprocess.Popen('/bin/ls %s' % ('something',), shell=True)
Compliant Code Examples
subprocess.Popen('/bin/ls %s' % ('something',), shell=False)