Mercurial Repositories > eric / file comparison
comparison: src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/injectionShell.py
src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/injectionShell.py
- branch
- eric7
- changeset 9325
- 8157eb19aba5
- parent 9221
- bf71ee032bb4
- child 9653
- e67609152c5e
equal
deleted
inserted
replaced
| 9324:7f7f3e47b238 | 9325:8157eb19aba5 |
|---|---|
| 68 """ | 68 """ |
| 69 Function to check, if the node of the context contains the shell keyword. | 69 Function to check, if the node of the context contains the shell keyword. |
| 70 | 70 |
| 71 @param context context to be inspected | 71 @param context context to be inspected |
| 72 @type SecurityContext | 72 @type SecurityContext |
| 73 @return tuple containing a flag indicating the presence of the 'shell' | 73 @return flag indicating the value of the 'shell' argument |
| 74 argument and flag indicating the value of the 'shell' argument | 74 @rtype bool |
| 75 @rtype tuple of (bool, bool) | |
| 76 """ | 75 """ |
| 77 keywords = context.node.keywords | 76 keywords = context.node.keywords |
| 78 result = False | 77 result = False |
| 79 shell = False | |
| 80 if "shell" in context.callKeywords: | 78 if "shell" in context.callKeywords: |
| 81 shell = True | |
| 82 for key in keywords: | 79 for key in keywords: |
| 83 if key.arg == "shell": | 80 if key.arg == "shell": |
| 84 val = key.value | 81 val = key.value |
| 85 if AstUtilities.isNumber(val): | 82 if AstUtilities.isNumber(val): |
| 86 result = bool(val.n) | 83 result = bool(val.n) |
| 93 elif AstUtilities.isNameConstant(val): | 90 elif AstUtilities.isNameConstant(val): |
| 94 result = val.value | 91 result = val.value |
| 95 else: | 92 else: |
| 96 result = True | 93 result = True |
| 97 | 94 |
| 98 return shell, result | 95 return result |
| 99 | 96 |
| 100 | 97 |
| 101 def checkSubprocessPopenWithShell(reportError, context, config): | 98 def checkSubprocessPopenWithShell(reportError, context, config): |
| 102 """ | 99 """ |
| 103 Function to check for use of popen with shell equals true. | 100 Function to check for use of popen with shell equals true. |
| 113 config["shell_injection_subprocess"] | 110 config["shell_injection_subprocess"] |
| 114 if config and "shell_injection_subprocess" in config | 111 if config and "shell_injection_subprocess" in config |
| 115 else SecurityDefaults["shell_injection_subprocess"] | 112 else SecurityDefaults["shell_injection_subprocess"] |
| 116 ) | 113 ) |
| 117 | 114 |
| 118 if context.callFunctionNameQual in functionNames: | 115 if ( |
| 119 shell, shellValue = hasShell(context) | 116 context.callFunctionNameQual in functionNames |
| 120 if shell and shellValue and len(context.callArgs) > 0: | 117 and hasShell(context) |
| 121 sev = _evaluateShellCall(context) | 118 and len(context.callArgs) > 0 |
| 122 if sev == "L": | 119 ): |
| 123 reportError( | 120 sev = _evaluateShellCall(context) |
| 124 context.getLinenoForCallArg("shell") - 1, | 121 if sev == "L": |
| 125 context.getOffsetForCallArg("shell"), | 122 reportError( |
| 126 "S602.L", | 123 context.getLinenoForCallArg("shell") - 1, |
| 127 sev, | 124 context.getOffsetForCallArg("shell"), |
| 128 "H", | 125 "S602.L", |
| 129 ) | 126 sev, |
| 130 else: | 127 "H", |
| 131 reportError( | 128 ) |
| 132 context.getLinenoForCallArg("shell") - 1, | 129 else: |
| 133 context.getOffsetForCallArg("shell"), | 130 reportError( |
| 134 "S602.H", | 131 context.getLinenoForCallArg("shell") - 1, |
| 135 sev, | 132 context.getOffsetForCallArg("shell"), |
| 136 "H", | 133 "S602.H", |
| 137 ) | 134 sev, |
| 135 "H", | |
| 136 ) | |
| 138 | 137 |
| 139 | 138 |
| 140 def checkSubprocessPopenWithoutShell(reportError, context, config): | 139 def checkSubprocessPopenWithoutShell(reportError, context, config): |
| 141 """ | 140 """ |
| 142 Function to check for use of popen without shell equals true. | 141 Function to check for use of popen without shell equals true. |
| 152 config["shell_injection_subprocess"] | 151 config["shell_injection_subprocess"] |
| 153 if config and "shell_injection_subprocess" in config | 152 if config and "shell_injection_subprocess" in config |
| 154 else SecurityDefaults["shell_injection_subprocess"] | 153 else SecurityDefaults["shell_injection_subprocess"] |
| 155 ) | 154 ) |
| 156 | 155 |
| 157 if context.callFunctionNameQual in functionNames and not hasShell(context)[0]: | 156 if context.callFunctionNameQual in functionNames and not hasShell(context): |
| 158 reportError( | 157 reportError( |
| 159 context.node.lineno - 1, | 158 context.node.lineno - 1, |
| 160 context.node.col_offset, | 159 context.node.col_offset, |
| 161 "S603", | 160 "S603", |
| 162 "L", | 161 "L", |
| 179 config["shell_injection_subprocess"] | 178 config["shell_injection_subprocess"] |
| 180 if config and "shell_injection_subprocess" in config | 179 if config and "shell_injection_subprocess" in config |
| 181 else SecurityDefaults["shell_injection_subprocess"] | 180 else SecurityDefaults["shell_injection_subprocess"] |
| 182 ) | 181 ) |
| 183 | 182 |
| 184 if context.callFunctionNameQual not in functionNames: | 183 if context.callFunctionNameQual not in functionNames and hasShell(context): |
| 185 shell, shellValue = hasShell(context) | 184 reportError( |
| 186 if shell and shellValue: | 185 context.getLinenoForCallArg("shell") - 1, |
| 187 reportError( | 186 context.getOffsetForCallArg("shell"), |
| 188 context.getLinenoForCallArg("shell") - 1, | 187 "S604", |
| 189 context.getOffsetForCallArg("shell"), | 188 "M", |
| 190 "S604", | 189 "L", |
| 191 "M", | 190 ) |
| 192 "L", | |
| 193 ) | |
| 194 | 191 |
| 195 | 192 |
| 196 def checkStartProcessWithShell(reportError, context, config): | 193 def checkStartProcessWithShell(reportError, context, config): |
| 197 """ | 194 """ |
| 198 Function to check for starting a process with a shell. | 195 Function to check for starting a process with a shell. |
