Call of a spawn process without sanitization

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: python-security/os-spawn

Language: Python

Severity: Error

Category: Security

CWE: 78

Description

Detect unsafe shell execution with the os module. We should ensure the command is safe before execution. Use shlex to sanitize user inputs.

Learn More

Non-Compliant Code Examples

import os

directory = "/tmp"

# Use of unsanitized data to create a process
os.spawnl(os.P_WAIT, "/bin/ls")
os.spawnle(os.P_WAIT, "/bin/ls")
os.spawnlp(os.P_WAIT, "/bin/ls")
os.spawnlpe(os.P_WAIT, "/bin/ls")
os.spawnv(os.P_WAIT, "/bin/ls")
os.spawnve(os.P_WAIT, "/bin/ls")
os.spawnvp(os.P_WAIT, "/bin/ls")
os.spawnvpe(os.P_WAIT, "/bin/ls")


os.spawnvpe(os.P_WAIT, "/bin/ls " + directory)

Compliant Code Examples

import os
import shlex

# Use of shlex() to sanitize data
os.spawnl(os.P_WAIT, shlex.escape("/bin/ls"))
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis

PREVIEWING: rtrieu/product-analytics-ui-changes