Use of unsanitized data to create processes
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
ID: python-flask/os-system-unsanitized-data
Language: Python
Severity: Error
Category: Security
CWE: 78
Use of unsanitized from incoming request to execute a command may lead to command injection. It is highly recommended that data is checked and sanitized before use.
import flask
import os
app = flask.Flask(__name__)
@app.route("/route/to/resource/<resource_id>")
def resource2(resource_id):
file1 = subprocess.call(resource_id)
file2 = subprocess.capture_output(f"/path/to/{resource_id}")
@app.route("/route/to/resource/<resource_id>")
def resource2(resource_id):
file4 = os.system("/path/to/{0}".format(resource_id))
os.system(request.remote_addr)
bla = os.system(request.foo)
@app.route("/route/to/resource")
def resource2():
resource_id = flask.request.args.get("resource_id")
subprocess.call(resource_id)
subprocess.run(["command", resource_id])
import flask
import os
app = flask.Flask(__name__)
@app.route("/route/to/resource/<resource_id>")
def resource2(resource_id):
file1 = subprocess.call(sanitize(resource_id))
file2 = subprocess.capture_output(f"/path/to/{sanitize(resource_id)}")