Mercurial Repositories > eric / annotate
src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/injectionShell.py@1fe731ca7078 (annotated)
src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/injectionShell.py
Fri, 02 Aug 2024 19:24:32 +0200
- author
- Detlev Offenbach <detlev@die-offenbachs.de>
- date
- Fri, 02 Aug 2024 19:24:32 +0200
- branch
- eric7
- changeset 10883
- 1fe731ca7078
- parent 10439
- 21c28b0f9e41
- child 11090
- f5f5f5803935
- permissions
- -rw-r--r--
Code Style Checker
- Updated the Security checker to `bandit v1.7.9`.
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
1 | # -*- coding: utf-8 -*- |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
2 | |
|
10439
21c28b0f9e41
Updated copyright for 2024.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10169
diff
changeset
|
3 | # Copyright (c) 2020 - 2024 Detlev Offenbach <detlev@die-offenbachs.de> |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
4 | # |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
5 | |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
6 | """ |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
7 | Module implementing a check for shell injection. |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
8 | """ |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
9 | |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
10 | # |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
11 | # This is a modified version of the one found in the bandit package. |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
12 | # |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
13 | # Original Copyright 2014 Hewlett-Packard Development Company, L.P. |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
14 | # |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
15 | # SPDX-License-Identifier: Apache-2.0 |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
16 | # |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
17 | |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
18 | import ast |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
19 | import re |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
20 | |
|
7622
384e2aa5c073
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7615
diff
changeset
|
21 | import AstUtilities |
|
384e2aa5c073
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7615
diff
changeset
|
22 | |
|
7615
ca2949b1a29a
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7614
diff
changeset
|
23 | from Security.SecurityDefaults import SecurityDefaults |
|
ca2949b1a29a
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7614
diff
changeset
|
24 | |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
25 | # This regex starts with a windows drive letter (eg C:) |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
26 | # or one of our path delimeter characters (/, \, .) |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
27 | fullPathMatchRe = re.compile(r"^(?:[A-Za-z](?=\:)|[\\\/\.])") |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
28 | |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
29 | |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
30 | def getChecks(): |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
31 | """ |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
32 | Public method to get a dictionary with checks handled by this module. |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
33 | |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
34 | @return dictionary containing checker lists containing checker function and |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
35 | list of codes |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
36 | @rtype dict |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
37 | """ |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
38 | return { |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
39 | "Call": [ |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
40 | (checkSubprocessPopenWithShell, ("S602",)), |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
41 | (checkSubprocessPopenWithoutShell, ("S603",)), |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
42 | (checkOtherFunctionWithShell, ("S604",)), |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
43 | (checkStartProcessWithShell, ("S605",)), |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
44 | (checkStartProcessWithNoShell, ("S606",)), |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
45 | (checkStartProcessWithPartialPath, ("S607",)), |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
46 | ], |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
47 | } |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
48 | |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
49 | |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
50 | def _evaluateShellCall(context): |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
51 | """ |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
52 | Function to determine the severity of a shell call. |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
53 | |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
54 | @param context context to be inspected |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
55 | @type SecurityContext |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
56 | @return severity level (L, M or H) |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
57 | @rtype str |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
58 | """ |
|
7622
384e2aa5c073
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7615
diff
changeset
|
59 | noFormatting = AstUtilities.isString(context.node.args[0]) |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
60 | |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
61 | if noFormatting: |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
62 | return "L" |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
63 | else: |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
64 | return "H" |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
65 | |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
66 | |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
67 | def hasShell(context): |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
68 | """ |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
69 | Function to check, if the node of the context contains the shell keyword. |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
70 | |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
71 | @param context context to be inspected |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
72 | @type SecurityContext |
|
9325
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
73 | @return flag indicating the value of the 'shell' argument |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
74 | @rtype bool |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
75 | """ |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
76 | keywords = context.node.keywords |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
77 | result = False |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
78 | if "shell" in context.callKeywords: |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
79 | for key in keywords: |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
80 | if key.arg == "shell": |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
81 | val = key.value |
|
7622
384e2aa5c073
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7615
diff
changeset
|
82 | if AstUtilities.isNumber(val): |
|
10169
0f70a4ef4592
Made some modification in preparation for Python 3.12.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9653
diff
changeset
|
83 | result = bool(val.value) |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
84 | elif isinstance(val, ast.List): |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
85 | result = bool(val.elts) |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
86 | elif isinstance(val, ast.Dict): |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
87 | result = bool(val.keys) |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
88 | elif isinstance(val, ast.Name) and val.id in ["False", "None"]: |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
89 | result = False |
|
7637
c878e8255972
Removed some more Python2 related code.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7622
diff
changeset
|
90 | elif AstUtilities.isNameConstant(val): |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
91 | result = val.value |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
92 | else: |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
93 | result = True |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
94 | |
|
9325
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
95 | return result |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
96 | |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
97 | |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
98 | def checkSubprocessPopenWithShell(reportError, context, config): |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
99 | """ |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
100 | Function to check for use of popen with shell equals true. |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
101 | |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
102 | @param reportError function to be used to report errors |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
103 | @type func |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
104 | @param context security context object |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
105 | @type SecurityContext |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
106 | @param config dictionary with configuration data |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
107 | @type dict |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
108 | """ |
|
8259
2bbec88047dd
Applied some more code simplifications suggested by the new Simplify checker (Y108: use ternary operator).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
8222
diff
changeset
|
109 | functionNames = ( |
|
2bbec88047dd
Applied some more code simplifications suggested by the new Simplify checker (Y108: use ternary operator).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
8222
diff
changeset
|
110 | config["shell_injection_subprocess"] |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
111 | if config and "shell_injection_subprocess" in config |
|
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
112 | else SecurityDefaults["shell_injection_subprocess"] |
|
8259
2bbec88047dd
Applied some more code simplifications suggested by the new Simplify checker (Y108: use ternary operator).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
8222
diff
changeset
|
113 | ) |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
114 | |
|
9325
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
115 | if ( |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
116 | context.callFunctionNameQual in functionNames |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
117 | and hasShell(context) |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
118 | and len(context.callArgs) > 0 |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
119 | ): |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
120 | sev = _evaluateShellCall(context) |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
121 | if sev == "L": |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
122 | reportError( |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
123 | context.getLinenoForCallArg("shell") - 1, |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
124 | context.getOffsetForCallArg("shell"), |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
125 | "S602.L", |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
126 | sev, |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
127 | "H", |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
128 | ) |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
129 | else: |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
130 | reportError( |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
131 | context.getLinenoForCallArg("shell") - 1, |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
132 | context.getOffsetForCallArg("shell"), |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
133 | "S602.H", |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
134 | sev, |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
135 | "H", |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
136 | ) |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
137 | |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
138 | |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
139 | def checkSubprocessPopenWithoutShell(reportError, context, config): |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
140 | """ |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
141 | Function to check for use of popen without shell equals true. |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
142 | |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
143 | @param reportError function to be used to report errors |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
144 | @type func |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
145 | @param context security context object |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
146 | @type SecurityContext |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
147 | @param config dictionary with configuration data |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
148 | @type dict |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
149 | """ |
|
8259
2bbec88047dd
Applied some more code simplifications suggested by the new Simplify checker (Y108: use ternary operator).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
8222
diff
changeset
|
150 | functionNames = ( |
|
2bbec88047dd
Applied some more code simplifications suggested by the new Simplify checker (Y108: use ternary operator).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
8222
diff
changeset
|
151 | config["shell_injection_subprocess"] |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
152 | if config and "shell_injection_subprocess" in config |
|
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
153 | else SecurityDefaults["shell_injection_subprocess"] |
|
8259
2bbec88047dd
Applied some more code simplifications suggested by the new Simplify checker (Y108: use ternary operator).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
8222
diff
changeset
|
154 | ) |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
155 | |
|
9325
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
156 | if context.callFunctionNameQual in functionNames and not hasShell(context): |
|
8222
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
157 | reportError( |
|
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
158 | context.node.lineno - 1, |
|
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
159 | context.node.col_offset, |
|
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
160 | "S603", |
|
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
161 | "L", |
|
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
162 | "H", |
|
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
163 | ) |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
164 | |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
165 | |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
166 | def checkOtherFunctionWithShell(reportError, context, config): |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
167 | """ |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
168 | Function to check for any function with shell equals true. |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
169 | |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
170 | @param reportError function to be used to report errors |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
171 | @type func |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
172 | @param context security context object |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
173 | @type SecurityContext |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
174 | @param config dictionary with configuration data |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
175 | @type dict |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
176 | """ |
|
8259
2bbec88047dd
Applied some more code simplifications suggested by the new Simplify checker (Y108: use ternary operator).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
8222
diff
changeset
|
177 | functionNames = ( |
|
2bbec88047dd
Applied some more code simplifications suggested by the new Simplify checker (Y108: use ternary operator).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
8222
diff
changeset
|
178 | config["shell_injection_subprocess"] |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
179 | if config and "shell_injection_subprocess" in config |
|
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
180 | else SecurityDefaults["shell_injection_subprocess"] |
|
8259
2bbec88047dd
Applied some more code simplifications suggested by the new Simplify checker (Y108: use ternary operator).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
8222
diff
changeset
|
181 | ) |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
182 | |
|
9325
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
183 | if context.callFunctionNameQual not in functionNames and hasShell(context): |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
184 | reportError( |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
185 | context.getLinenoForCallArg("shell") - 1, |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
186 | context.getOffsetForCallArg("shell"), |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
187 | "S604", |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
188 | "M", |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
189 | "L", |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
190 | ) |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
191 | |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
192 | |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
193 | def checkStartProcessWithShell(reportError, context, config): |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
194 | """ |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
195 | Function to check for starting a process with a shell. |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
196 | |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
197 | @param reportError function to be used to report errors |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
198 | @type func |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
199 | @param context security context object |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
200 | @type SecurityContext |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
201 | @param config dictionary with configuration data |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
202 | @type dict |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
203 | """ |
|
8259
2bbec88047dd
Applied some more code simplifications suggested by the new Simplify checker (Y108: use ternary operator).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
8222
diff
changeset
|
204 | functionNames = ( |
|
2bbec88047dd
Applied some more code simplifications suggested by the new Simplify checker (Y108: use ternary operator).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
8222
diff
changeset
|
205 | config["shell_injection_shell"] |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
206 | if config and "shell_injection_shell" in config |
|
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
207 | else SecurityDefaults["shell_injection_shell"] |
|
8259
2bbec88047dd
Applied some more code simplifications suggested by the new Simplify checker (Y108: use ternary operator).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
8222
diff
changeset
|
208 | ) |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
209 | |
|
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
210 | if context.callFunctionNameQual in functionNames and len(context.callArgs) > 0: |
|
8222
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
211 | sev = _evaluateShellCall(context) |
|
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
212 | if sev == "L": |
|
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
213 | reportError( |
|
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
214 | context.node.lineno - 1, |
|
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
215 | context.node.col_offset, |
|
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
216 | "S605.L", |
|
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
217 | sev, |
|
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
218 | "H", |
|
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
219 | ) |
|
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
220 | else: |
|
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
221 | reportError( |
|
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
222 | context.node.lineno - 1, |
|
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
223 | context.node.col_offset, |
|
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
224 | "S605.H", |
|
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
225 | sev, |
|
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
226 | "H", |
|
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
227 | ) |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
228 | |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
229 | |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
230 | def checkStartProcessWithNoShell(reportError, context, config): |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
231 | """ |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
232 | Function to check for starting a process with no shell. |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
233 | |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
234 | @param reportError function to be used to report errors |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
235 | @type func |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
236 | @param context security context object |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
237 | @type SecurityContext |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
238 | @param config dictionary with configuration data |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
239 | @type dict |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
240 | """ |
|
8259
2bbec88047dd
Applied some more code simplifications suggested by the new Simplify checker (Y108: use ternary operator).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
8222
diff
changeset
|
241 | functionNames = ( |
|
2bbec88047dd
Applied some more code simplifications suggested by the new Simplify checker (Y108: use ternary operator).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
8222
diff
changeset
|
242 | config["shell_injection_noshell"] |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
243 | if config and "shell_injection_noshell" in config |
|
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
244 | else SecurityDefaults["shell_injection_noshell"] |
|
8259
2bbec88047dd
Applied some more code simplifications suggested by the new Simplify checker (Y108: use ternary operator).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
8222
diff
changeset
|
245 | ) |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
246 | |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
247 | if context.callFunctionNameQual in functionNames: |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
248 | reportError( |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
249 | context.node.lineno - 1, |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
250 | context.node.col_offset, |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
251 | "S606", |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
252 | "L", |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
253 | "M", |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
254 | ) |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
255 | |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
256 | |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
257 | def checkStartProcessWithPartialPath(reportError, context, config): |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
258 | """ |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
259 | Function to check for starting a process with no shell. |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
260 | |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
261 | @param reportError function to be used to report errors |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
262 | @type func |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
263 | @param context security context object |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
264 | @type SecurityContext |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
265 | @param config dictionary with configuration data |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
266 | @type dict |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
267 | """ |
|
8259
2bbec88047dd
Applied some more code simplifications suggested by the new Simplify checker (Y108: use ternary operator).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
8222
diff
changeset
|
268 | functionNames = ( |
|
2bbec88047dd
Applied some more code simplifications suggested by the new Simplify checker (Y108: use ternary operator).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
8222
diff
changeset
|
269 | config["shell_injection_subprocess"] |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
270 | if config and "shell_injection_subprocess" in config |
|
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
271 | else SecurityDefaults["shell_injection_subprocess"] |
|
8259
2bbec88047dd
Applied some more code simplifications suggested by the new Simplify checker (Y108: use ternary operator).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
8222
diff
changeset
|
272 | ) |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
273 | |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
274 | if config and "shell_injection_shell" in config: |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
275 | functionNames += config["shell_injection_shell"] |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
276 | else: |
|
7615
ca2949b1a29a
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7614
diff
changeset
|
277 | functionNames += SecurityDefaults["shell_injection_shell"] |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
278 | |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
279 | if config and "shell_injection_noshell" in config: |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
280 | functionNames += config["shell_injection_noshell"] |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
281 | else: |
|
7615
ca2949b1a29a
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7614
diff
changeset
|
282 | functionNames += SecurityDefaults["shell_injection_noshell"] |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
283 | |
|
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
284 | if len(context.callArgs) and context.callFunctionNameQual in functionNames: |
|
8222
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
285 | node = context.node.args[0] |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
286 | |
|
8222
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
287 | # some calls take an arg list, check the first part |
|
10883
1fe731ca7078
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
288 | if isinstance(node, ast.List) and node.elts: |
|
8222
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
289 | node = node.elts[0] |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
290 | |
|
8222
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
291 | # make sure the param is a string literal and not a var name |
|
10169
0f70a4ef4592
Made some modification in preparation for Python 3.12.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9653
diff
changeset
|
292 | if AstUtilities.isString(node) and not fullPathMatchRe.match(node.value): |
|
8222
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
293 | reportError( |
|
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
294 | context.node.lineno - 1, |
|
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
295 | context.node.col_offset, |
|
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
296 | "S607", |
|
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
297 | "L", |
|
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
298 | "H", |
|
5994b80b8760
Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
299 | ) |
