Python: Highlight that os.popen is not only problem for extra alerts

2025-12-20 10:46:30 +01:00 · 2020-10-02 13:34:33 +02:00
parent 3247b300ae
commit de07d9e5d9
2 changed files with 7 additions and 3 deletions
--- a/python/ql/src/experimental/Security-new-dataflow/CWE-078/CommandInjection.ql
+++ b/python/ql/src/experimental/Security-new-dataflow/CWE-078/CommandInjection.ql
@@ -28,7 +28,7 @@ class CommandInjectionConfiguration extends TaintTracking::Configuration {

  override predicate isSink(DataFlow::Node sink) {
    sink = any(SystemCommandExecution e).getCommand() and
-    // Since the implementation of os.popen looks like
+    // Since the implementation of standard library functions such `os.popen` looks like
    // ```py
    // def popen(cmd, mode="r", buffering=-1):
    //     ...
@@ -49,6 +49,10 @@ class CommandInjectionConfiguration extends TaintTracking::Configuration {
    // Best solution I could come up with is to exclude all sinks inside the standard
    // library -- this does have a downside: If we have overlooked a function in the
    // standard library that internally runs a command, we no longer give an alert :|
+    //
+    // This does not only affect `os.popen`, but also the helper functions in `subprocess`. See
+    // https://github.com/python/cpython/blob/fa7ce080175f65d678a7d5756c94f82887fc9803/Lib/os.py#L974
+    // https://github.com/python/cpython/blob/fa7ce080175f65d678a7d5756c94f82887fc9803/Lib/subprocess.py#L341
    not sink.getLocation().getFile().inStdlib()
  }
 }
--- a/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-078/command_injection.py
+++ b/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-078/command_injection.py
@@ -46,8 +46,8 @@ def not_into_sink_impl():
    flow through the actual `popen` function to the internal call to `subprocess.Popen` -- we would usually
    see that flow since we extract the `os.py` file from the standard library.

-    os.popen implementation:
-    https://github.com/python/cpython/blob/fa7ce080175f65d678a7d5756c94f82887fc9803/Lib/os.py#L974
+    os.popen implementation: https://github.com/python/cpython/blob/fa7ce080175f65d678a7d5756c94f82887fc9803/Lib/os.py#L974
+    subprocess.call implementation: https://github.com/python/cpython/blob/fa7ce080175f65d678a7d5756c94f82887fc9803/Lib/subprocess.py#L341
    """
    command = request.args.get('command', '')
    os.system(command)