importosdirectory="/tmp"# Use of unsanitized data to execute a processos.system("/bin/ls")os.system("/bin/ls "+directory)os.system(f'mv {saved_file_path}{public_upload_file_path}')deffile_upload_api(request,app):file=request.files['file']ifnot_validate_file(file.filename):return{'message':'Invalid file extension','allowed_ext':ALLOWED_EXTENSIONS,'filename':file.filename},422saved_file_result=_save_temp_file(file,app)saved_file_path=saved_file_result['saved_path']file_name=Path(saved_file_path).namepublic_upload_file_path=os.path.join(app.config['PUBLIC_UPLOAD_FOLDER'],file_name)os.system(f'mv {saved_file_path}{public_upload_file_path}')returnrender_template('file_upload.html',file_url=f'{get_uploads_folder_url()}/{file_name}')
Compliant Code Examples
importosimportshlex# Use of shlex() to sanitize dataos.system(shlex.escape("/bin/ls"))
シームレスな統合。 Datadog Code Security をお試しください
Datadog Code Security
このルールを試し、Datadog Code Security でコードを解析する
このルールの使用方法
1
2
rulesets:- python-security # Rules to enforce Python security.