Description of the issue
py/code-injection flags command injection when the code uses os.system(...) or subprocess.run(..., shell=True), but it does not flag the same tainted command when it is executed through Python os.exec* APIs with sh -c.
A minimal example:
files = request.args.get("files", "")
os.execl("/bin/sh", "sh", "-c", "ls " + files)I also tested equivalent variants (os.execlp, os.execve, and subprocess.run(["sh","-c", ...])) and they were not reported either, while the os.system and shell=True controls were reported.
Sink pattern example in the wild:
https://github.com/ziyan/ssh-otp/blob/ad23edded03ee7d198417d99457d3cfa3df814d1/ssh-otp#L90
There are also code using `python -c
https://github.com/davidfraser/dbghelper/blob/f12b91b468bb640f1cb9d19733afef7696eee9fa/dbg.py#L47
Description of the issue
py/code-injection flags command injection when the code uses os.system(...) or subprocess.run(..., shell=True), but it does not flag the same tainted command when it is executed through Python os.exec* APIs with sh -c.
A minimal example:
I also tested equivalent variants (os.execlp, os.execve, and subprocess.run(["sh","-c", ...])) and they were not reported either, while the os.system and shell=True controls were reported.
Sink pattern example in the wild:
https://github.com/ziyan/ssh-otp/blob/ad23edded03ee7d198417d99457d3cfa3df814d1/ssh-otp#L90
There are also code using `python -c
https://github.com/davidfraser/dbghelper/blob/f12b91b468bb640f1cb9d19733afef7696eee9fa/dbg.py#L47