Current command injection behavior isn't correct
Bug #1513091 reported by
Travis McPeak
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Bandit |
Fix Released
|
High
|
Tim Kelsey | ||
Bug Description
Consider the following test file:
import subprocess
my_val = 'do_something; ' + evil_value
subprocess.
This is obviously a high risk command injection issue, but Bandit currently only reports a low. Since all we can tell is that it's a dynamically constructed string we have to assume HIGH severity IMO.
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix merged to bandit (master) | #1 |
| Changed in bandit: | |
| status: | New → Fix Committed |
| Changed in bandit: | |
| assignee: | nobody → Tim Kelsey (tim-kelsey) |
| Changed in bandit: | |
| status: | Fix Committed → Fix Released |
To post a comment you must log in.
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: master
commit 2a328eb78682d05
Author: Tim Kelsey <email address hidden>
Date: Wed Nov 4 16:51:12 2015 +0000
Fixing bug in injection test
The injection test was broken, it assumed that the call arg in the
context would reflect the type passed into the detected call, this
is not the case. We check the AST node type instead now
Change-Id: Idd7d8ed5ab7062
Closes-bug: 1513091