Use subprocess securely to avoid shell injection

[wangzelin007]

Python possesses many mechanisms to invoke an external executable.

However, doing so may present a security issue if appropriate care is not taken to sanitize any user provided or variable input.

Consequences

• If you use shell=True, your code is extremely likely to be vulnerable

• Even if your code is not vulnerable, the next person who maintains can easily introduce a vulnerability.

• Shell injections are arbitrary code execution - a competent attacker will use these to compromise the rest of your system.

How to Avoid

• Stop using the following commands that may cause shell injection according to Bandit rule B605
  • os.system
  • os.popen
  • os.popen2
  • os.popen3
  • os.popen4
  • popen2.popen2
  • popen2.popen3
  • popen2.popen4
  • popen2.Popen3
  • popen2.Popen4
  • commands.getoutput
  • commands.getstatusoutput
• Use subprocess securely

def ping(myserver):
    args = ['ping', '-c', '1', myserver]
    return subprocess.check_output(args, shell=False)

[jiasli]

There are some good examples in Azure CLI code that show how to invoke a subprocess securely:

To open a web browser in WSL:

azure-cli/src/azure-cli-core/azure/cli/core/util.py

Lines 734 to 735 in 325dfa6

	return subprocess.Popen(
	['powershell.exe', '-NoProfile', '-Command', 'Start-Process "{}"'.format(url)]).wait()

To invoke azcopy:

azure-cli/src/azure-cli/azure/cli/command_modules/storage/azcopy/util.py

Lines 75 to 76 in 4b86ba6

	def run_command(self, args):
	args = [self.executable] + args

azure-cli/src/azure-cli/azure/cli/command_modules/storage/azcopy/util.py

Line 85 in 4b86ba6

result = subprocess.call(args, env=dict(os.environ, **env_kwargs))

To invoke bicep:

azure-cli/src/azure-cli/azure/cli/command_modules/resource/_bicep.py

Lines 240 to 241 in 9464462

	def _run_command(bicep_installation_path, args):
	process = subprocess.run([rf"{bicep_installation_path}"] + args, stdout=subprocess.PIPE, stderr=subprocess.PIPE)