--- a/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/injectionShell.py Wed Jul 13 11:16:20 2022 +0200
+++ b/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/injectionShell.py Wed Jul 13 14:55:47 2022 +0200
@@ -24,13 +24,13 @@
# This regex starts with a windows drive letter (eg C:)
# or one of our path delimeter characters (/, \, .)
-fullPathMatchRe = re.compile(r'^(?:[A-Za-z](?=\:)|[\\\/\.])')
+fullPathMatchRe = re.compile(r"^(?:[A-Za-z](?=\:)|[\\\/\.])")
def getChecks():
"""
Public method to get a dictionary with checks handled by this module.
-
+
@return dictionary containing checker lists containing checker function and
list of codes
@rtype dict
@@ -50,7 +50,7 @@
def _evaluateShellCall(context):
"""
Function to determine the severity of a shell call.
-
+
@param context context to be inspected
@type SecurityContext
@return severity level (L, M or H)
@@ -67,7 +67,7 @@
def hasShell(context):
"""
Function to check, if the node of the context contains the shell keyword.
-
+
@param context context to be inspected
@type SecurityContext
@return tuple containing a flag indicating the presence of the 'shell'
@@ -77,10 +77,10 @@
keywords = context.node.keywords
result = False
shell = False
- if 'shell' in context.callKeywords:
+ if "shell" in context.callKeywords:
shell = True
for key in keywords:
- if key.arg == 'shell':
+ if key.arg == "shell":
val = key.value
if AstUtilities.isNumber(val):
result = bool(val.n)
@@ -88,20 +88,20 @@
result = bool(val.elts)
elif isinstance(val, ast.Dict):
result = bool(val.keys)
- elif isinstance(val, ast.Name) and val.id in ['False', 'None']:
+ elif isinstance(val, ast.Name) and val.id in ["False", "None"]:
result = False
elif AstUtilities.isNameConstant(val):
result = val.value
else:
result = True
-
+
return shell, result
def checkSubprocessPopenWithShell(reportError, context, config):
"""
Function to check for use of popen with shell equals true.
-
+
@param reportError function to be used to report errors
@type func
@param context security context object
@@ -111,26 +111,26 @@
"""
functionNames = (
config["shell_injection_subprocess"]
- if config and "shell_injection_subprocess" in config else
- SecurityDefaults["shell_injection_subprocess"]
+ if config and "shell_injection_subprocess" in config
+ else SecurityDefaults["shell_injection_subprocess"]
)
-
+
if context.callFunctionNameQual in functionNames:
shell, shellValue = hasShell(context)
if shell and shellValue and len(context.callArgs) > 0:
sev = _evaluateShellCall(context)
if sev == "L":
reportError(
- context.getLinenoForCallArg('shell') - 1,
- context.getOffsetForCallArg('shell'),
+ context.getLinenoForCallArg("shell") - 1,
+ context.getOffsetForCallArg("shell"),
"S602.L",
sev,
"H",
)
else:
reportError(
- context.getLinenoForCallArg('shell') - 1,
- context.getOffsetForCallArg('shell'),
+ context.getLinenoForCallArg("shell") - 1,
+ context.getOffsetForCallArg("shell"),
"S602.H",
sev,
"H",
@@ -140,7 +140,7 @@
def checkSubprocessPopenWithoutShell(reportError, context, config):
"""
Function to check for use of popen without shell equals true.
-
+
@param reportError function to be used to report errors
@type func
@param context security context object
@@ -150,14 +150,11 @@
"""
functionNames = (
config["shell_injection_subprocess"]
- if config and "shell_injection_subprocess" in config else
- SecurityDefaults["shell_injection_subprocess"]
+ if config and "shell_injection_subprocess" in config
+ else SecurityDefaults["shell_injection_subprocess"]
)
-
- if (
- context.callFunctionNameQual in functionNames and
- not hasShell(context)[0]
- ):
+
+ if context.callFunctionNameQual in functionNames and not hasShell(context)[0]:
reportError(
context.node.lineno - 1,
context.node.col_offset,
@@ -170,7 +167,7 @@
def checkOtherFunctionWithShell(reportError, context, config):
"""
Function to check for any function with shell equals true.
-
+
@param reportError function to be used to report errors
@type func
@param context security context object
@@ -180,16 +177,16 @@
"""
functionNames = (
config["shell_injection_subprocess"]
- if config and "shell_injection_subprocess" in config else
- SecurityDefaults["shell_injection_subprocess"]
+ if config and "shell_injection_subprocess" in config
+ else SecurityDefaults["shell_injection_subprocess"]
)
-
+
if context.callFunctionNameQual not in functionNames:
shell, shellValue = hasShell(context)
if shell and shellValue:
reportError(
- context.getLinenoForCallArg('shell') - 1,
- context.getOffsetForCallArg('shell'),
+ context.getLinenoForCallArg("shell") - 1,
+ context.getOffsetForCallArg("shell"),
"S604",
"M",
"L",
@@ -199,7 +196,7 @@
def checkStartProcessWithShell(reportError, context, config):
"""
Function to check for starting a process with a shell.
-
+
@param reportError function to be used to report errors
@type func
@param context security context object
@@ -209,14 +206,11 @@
"""
functionNames = (
config["shell_injection_shell"]
- if config and "shell_injection_shell" in config else
- SecurityDefaults["shell_injection_shell"]
+ if config and "shell_injection_shell" in config
+ else SecurityDefaults["shell_injection_shell"]
)
-
- if (
- context.callFunctionNameQual in functionNames and
- len(context.callArgs) > 0
- ):
+
+ if context.callFunctionNameQual in functionNames and len(context.callArgs) > 0:
sev = _evaluateShellCall(context)
if sev == "L":
reportError(
@@ -239,7 +233,7 @@
def checkStartProcessWithNoShell(reportError, context, config):
"""
Function to check for starting a process with no shell.
-
+
@param reportError function to be used to report errors
@type func
@param context security context object
@@ -249,10 +243,10 @@
"""
functionNames = (
config["shell_injection_noshell"]
- if config and "shell_injection_noshell" in config else
- SecurityDefaults["shell_injection_noshell"]
+ if config and "shell_injection_noshell" in config
+ else SecurityDefaults["shell_injection_noshell"]
)
-
+
if context.callFunctionNameQual in functionNames:
reportError(
context.node.lineno - 1,
@@ -266,7 +260,7 @@
def checkStartProcessWithPartialPath(reportError, context, config):
"""
Function to check for starting a process with no shell.
-
+
@param reportError function to be used to report errors
@type func
@param context security context object
@@ -276,35 +270,29 @@
"""
functionNames = (
config["shell_injection_subprocess"]
- if config and "shell_injection_subprocess" in config else
- SecurityDefaults["shell_injection_subprocess"]
+ if config and "shell_injection_subprocess" in config
+ else SecurityDefaults["shell_injection_subprocess"]
)
-
+
if config and "shell_injection_shell" in config:
functionNames += config["shell_injection_shell"]
else:
functionNames += SecurityDefaults["shell_injection_shell"]
-
+
if config and "shell_injection_noshell" in config:
functionNames += config["shell_injection_noshell"]
else:
functionNames += SecurityDefaults["shell_injection_noshell"]
-
- if (
- len(context.callArgs) and
- context.callFunctionNameQual in functionNames
- ):
+
+ if len(context.callArgs) and context.callFunctionNameQual in functionNames:
node = context.node.args[0]
-
+
# some calls take an arg list, check the first part
if isinstance(node, ast.List):
node = node.elts[0]
-
+
# make sure the param is a string literal and not a var name
- if (
- AstUtilities.isString(node) and
- not fullPathMatchRe.match(node.s)
- ):
+ if AstUtilities.isString(node) and not fullPathMatchRe.match(node.s):
reportError(
context.node.lineno - 1,
context.node.col_offset,
