assume shell=False for subprocess calls, fixes FPs in e.g. youtube-dl

erik-krogh · erik-krogh · commit e9ebba335056 · 2023-02-03T14:47:55.000+01:00
diff --git a/python/ql/lib/semmle/python/frameworks/Stdlib.qll b/python/ql/lib/semmle/python/frameworks/Stdlib.qll
@@ -1209,7 +1209,7 @@ private module StdlibPrivate {
         this.get_shell_arg().getAValueReachingSink().asExpr().(ImmutableLiteral).booleanValue()
       or
       not this.get_shell_arg().getAValueReachingSink().asExpr() instanceof ImmutableLiteral and
-      result = [true, false]
+      result = false // defaults to `False`
     }
 
     /** Gets the API-node for the `executable` argument, if any. */
diff --git a/python/ql/test/query-tests/Security/CWE-078-UnsafeShellCommandConstruction/src/unsafe_shell_test.py b/python/ql/test/query-tests/Security/CWE-078-UnsafeShellCommandConstruction/src/unsafe_shell_test.py
@@ -41,4 +41,6 @@ def subprocess_flag (name):
     def indirect(flag, x): 
         subprocess.run("ping " + x, shell=flag) # $result=BAD
 
-    indirect(True, name)
+    indirect(True, name)
+
+    subprocess.Popen("ping " + name, shell=unknownValue) # OK - shell assumed to be False

Original file line number	Diff line number	Diff line change
`@@ -1209,7 +1209,7 @@ private module StdlibPrivate {`
`1209`	`1209`	`this.get_shell_arg().getAValueReachingSink().asExpr().(ImmutableLiteral).booleanValue()`
`1210`	`1210`	`or`
`1211`	`1211`	`not this.get_shell_arg().getAValueReachingSink().asExpr() instanceof ImmutableLiteral and`
`1212`		`- result = [true, false]`
	`1212`	+ result = false // defaults to `False`
`1213`	`1213`	`}`
`1214`	`1214`
`1215`	`1215`	/** Gets the API-node for the `executable` argument, if any. */