Current command injection behavior isn't correct
Bug #1513091 reported by
Travis McPeak
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Bandit |
Fix Released
|
High
|
Tim Kelsey |
Bug Description
Consider the following test file:
import subprocess
my_val = 'do_something; ' + evil_value
subprocess.
This is obviously a high risk command injection issue, but Bandit currently only reports a low. Since all we can tell is that it's a dynamically constructed string we have to assume HIGH severity IMO.
Changed in bandit: | |
assignee: | nobody → Tim Kelsey (tim-kelsey) |
Changed in bandit: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
Reviewed: https:/ /review. openstack. org/241689 /git.openstack. org/cgit/ openstack/ bandit/ commit/ ?id=2a328eb7868 2d052d22f997e3e 722cf7c3230bd1
Committed: https:/
Submitter: Jenkins
Branch: master
commit 2a328eb78682d05 2d22f997e3e722c f7c3230bd1
Author: Tim Kelsey <email address hidden>
Date: Wed Nov 4 16:51:12 2015 +0000
Fixing bug in injection test
The injection test was broken, it assumed that the call arg in the
context would reflect the type passed into the detected call, this
is not the case. We check the AST node type instead now
Change-Id: Idd7d8ed5ab7062 af79b8e77d6df0c c39bddb7663
Closes-bug: 1513091