Skip to content

Commit

Permalink
feat(python): code injection (CWE-94)
Browse files Browse the repository at this point in the history
  • Loading branch information
elsapet committed May 10, 2024
1 parent 195151a commit de9d820
Show file tree
Hide file tree
Showing 3 changed files with 98 additions and 0 deletions.
63 changes: 63 additions & 0 deletions rules/python/lang/code_injection.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
imports:
- python_shared_common_user_input
patterns:
- pattern: exec($<...>$<USER_INPUT>$<...>)
filters:
- variable: USER_INPUT
detection: python_shared_common_user_input
scope: result
- pattern: getattr($<_>, $<...>$<USER_INPUT>$<...>)
filters:
- variable: USER_INPUT
detection: python_shared_common_user_input
scope: result
- pattern: setattr($<_>, $<_>, $<...>$<USER_INPUT>$<...>)
filters:
- variable: USER_INPUT
detection: python_shared_common_user_input
scope: result
- pattern: $<OS>.$<METHOD>($<...>$<USER_INPUT>$<...>)
filters:
- variable: OS
detection: python_lang_code_injection_os
scope: result
- variable: METHOD
values:
- execl
- execle
- execlp
- execlpe
- execv
- execve
- execvp
- execvpe
- variable: USER_INPUT
detection: python_shared_common_user_input
scope: result
auxiliary:
- id: python_lang_code_injection_os
patterns:
- os
- __import__("os")
languages:
- python
severity: critical
metadata:
description: Unsanitized user input in code generation
remediation_message: |-
## Description
Allowing user input to directly influence code generation or scripting functions without proper sanitization can lead to code injection vulnerabilities. This occurs when an attacker is able to insert malicious code into your application, which is then executed, potentially leading to unauthorized actions or data access.
## Remediations
- **Do not** pass unsanitized user input to functions or methods that dynamically execute code.
- **Do** always validate or sanitize input to ensure it does not contain harmful code before using it in such contexts.
## References
- [OWASP Code injection](https://owasp.org/www-community/attacks/Code_Injection)
cwe_id:
- 94
id: python_lang_code_injection
documentation_url: https://docs.bearer.com/reference/rules/python_lang_code_injection
20 changes: 20 additions & 0 deletions tests/python/lang/code_injection/test.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
const {
createNewInvoker,
getEnvironment,
} = require("../../../helper.js")
const { ruleId, ruleFile, testBase } = getEnvironment(__dirname)

describe(ruleId, () => {
const invoke = createNewInvoker(ruleId, ruleFile, testBase)

test("code_injection", () => {
const testCase = "main.py"

const results = invoke(testCase)

expect(results).toEqual({
Missing: [],
Extra: []
})
})
})
15 changes: 15 additions & 0 deletions tests/python/lang/code_injection/testdata/main.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# Use bearer:expected python_lang_code_injection to flag expected findings
def bad(request):
form = BadForm(request.POST)
# bearer:expected python_lang_code_injection
exec(form.cleaned_data["some_code"])

def bad2():
username = input("what hack today?")
# bearer:expected python_lang_code_injection
setattr(current_user, "name", username)

def bad3(request):
unsafe = request.GET.get("some_code")
# bearer:expected python_lang_code_injection
os.execl("/bin/bash", "/bin/bash", "-c", unsafe)

0 comments on commit de9d820

Please sign in to comment.