eric: comparison eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/injectionWildcard.py

-:fb0ef164f536
+:698ae46f40a4
 @param context security context object
 @type SecurityContext
 @param config dictionary with configuration data
 @type dict
 """
-if config and "shell_injection_subprocess" in config:
+subProcessFunctionNames = (
-subProcessFunctionNames = config["shell_injection_subprocess"]
+config["shell_injection_subprocess"]
-else:
+if config and "shell_injection_subprocess" in config else
-subProcessFunctionNames = SecurityDefaults[
+SecurityDefaults["shell_injection_subprocess"]
-"shell_injection_subprocess"]
+)
-if config and "shell_injection_shell" in config:
+shellFunctionNames = (
-shellFunctionNames = config["shell_injection_shell"]
+config["shell_injection_shell"]
-else:
+if config and "shell_injection_shell" in config else
-shellFunctionNames = SecurityDefaults["shell_injection_shell"]
+SecurityDefaults["shell_injection_shell"]
+)
 vulnerableFunctions = ['chown', 'chmod', 'tar', 'rsync']
 if (
-context.callFunctionNameQual in shellFunctionNames or
+(context.callFunctionNameQual in shellFunctionNames or
 (context.callFunctionNameQual in subProcessFunctionNames and
-context.checkCallArgValue('shell', 'True'))
+context.checkCallArgValue('shell', 'True'))) and
+context.callArgsCount >= 1
 ):
-if context.callArgsCount >= 1:
+callArgument = context.getCallArgAtPosition(0)
-callArgument = context.getCallArgAtPosition(0)
+argumentString = ''
-argumentString = ''
+if isinstance(callArgument, list):
-if isinstance(callArgument, list):
+for li in callArgument:
-for li in callArgument:
+argumentString += ' {0}'.format(li)
-argumentString = argumentString + ' {0}'.format(li)
+elif isinstance(callArgument, str):
-elif isinstance(callArgument, str):
+argumentString = callArgument
-argumentString = callArgument
+if argumentString != '':
-if argumentString != '':
+for vulnerableFunction in vulnerableFunctions:
-for vulnerableFunction in vulnerableFunctions:
+if (
-if (
+vulnerableFunction in argumentString and
-vulnerableFunction in argumentString and
+'*' in argumentString
-'*' in argumentString
+):
-):
+lineNo = context.getLinenoForCallArg('shell')
-lineNo = context.getLinenoForCallArg('shell')
+if lineNo < 1:
-if lineNo < 1:
+lineNo = context.node.lineno
-lineNo = context.node.lineno
+offset = context.getOffsetForCallArg('shell')
-offset = context.getOffsetForCallArg('shell')
+if offset < 0:
-if offset < 0:
+offset = context.node.col_offset
-offset = context.node.col_offset
+reportError(
-reportError(
+lineNo - 1,
-lineNo - 1,
+offset,
-offset,
+"S609",
-"S609",
+"H",
-"H",
+"M",
-"M",
+context.callFunctionNameQual
-context.callFunctionNameQual
+)
-)

Mercurial Repositories > eric / file comparison

comparison: eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/injectionWildcard.py

eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/injectionWildcard.py