Use of unsanitized data to create processes このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
このルールを試す ID: python-flask/os-system-unsanitized-data
Language: Python
Severity: Error
Category: Security
CWE : 78
Description Use of unsanitized from incoming request to execute a command may lead to command injection. It is highly recommended that data is checked and sanitized before use.
Learn More Non-Compliant Code Examples import flask
import os
app = flask . Flask ( __name__ )
@app.route ( "/route/to/resource/<resource_id>" )
def resource2 ( resource_id ):
file1 = subprocess . call ( resource_id )
file2 = subprocess . capture_output ( f "/path/to/ { resource_id } " )
@app.route ( "/route/to/resource/<resource_id>" )
def resource2 ( resource_id ):
file4 = os . system ( "/path/to/ {0} " . format ( resource_id ))
os . system ( request . remote_addr )
bla = os . system ( request . foo )
@app.route ( "/route/to/resource" )
def resource2 ():
resource_id = flask . request . args . get ( "resource_id" )
subprocess . call ( resource_id )
subprocess . run ([ "command" , resource_id ])
Compliant Code Examples import flask
import os
app = flask . Flask ( __name__ )
@app.route ( "/route/to/resource/<resource_id>" )
def resource2 ( resource_id ):
file1 = subprocess . call ( sanitize ( resource_id ))
file2 = subprocess . capture_output ( f "/path/to/ { sanitize ( resource_id ) } " )
Seamless integrations. Try Datadog Code Analysis