Add shlex.quote as sanitizer

2026-04-30 19:26:02 +02:00 · 2023-07-20 15:34:54 +02:00
parent c82ab2b2ab
commit 55648ac4de
3 changed files with 19 additions and 1 deletions
--- a/python/ql/test/query-tests/Security/CWE-078-UnsafeShellCommandConstruction/src/unsafe_shell_test.py
+++ b/python/ql/test/query-tests/Security/CWE-078-UnsafeShellCommandConstruction/src/unsafe_shell_test.py
@@ -1,9 +1,13 @@
 import os
 import subprocess
+import shlex

 def unsafe_shell_one(name):
    os.system("ping " + name) # $result=BAD

+    # shlex.quote sanitizer
+    os.system("ping " + shlex.quote(name)) # $result=OK
+
    # f-strings
    os.system(f"ping {name}") # $result=BAD