OS commands are security-sensitive. For example, their use has led in the past to the following vulnerabilities:

Applications that execute operating system commands or execute commands that interact with the underlying system should neutralize any externally-provided input used to construct those commands. Failure to do so could allow an attacker to execute unexpected or dangerous commands, potentially leading to loss of confidentiality, integrity or availability.

This rule flags code that specifies the name of the command to run. The goal is to guide security code reviews.

Ask Yourself Whether

(*) You are at risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Restrict the control given to the user over the executed command:

Restrict which users can have access to the command:

Reduce the damage the command can do:

Sensitive Code Example

Python 3

import subprocess
import os

params = ["ls", "-l"]

subprocess.run(params)  # Sensitive
subprocess.Popen(params)  # Sensitive

# Older API

subprocess.call(params)  # Sensitive
subprocess.check_call(params)  # Sensitive
subprocess.check_output(params)  # Sensitive

cmd = "ls -l"
os.system(cmd)  # Sensitive

mode = os.P_WAIT
file = "ls"
path = "/bin/ls"
env = os.environ
os.spawnl(mode, path, *params)  # Sensitive
os.spawnle(mode, path, *params, env)  # Sensitive
os.spawnlp(mode, file, *params)  # Sensitive
os.spawnlpe(mode, file, *params, env)  # Sensitive
os.spawnv(mode, path, params)  # Sensitive
os.spawnve(mode, path, params, env)  # Sensitive
os.spawnvp(mode, file, params)  # Sensitive
os.spawnvpe(mode, file, params, env)  # Sensitive

mode = 'r'
(child_stdout) = os.popen(cmd, mode, 1)  # Sensitive
# print(child_stdout.read())

(_, output) = subprocess.getstatusoutput(cmd)  # Sensitive

out = subprocess.getoutput(cmd)  # Sensitive

os.startfile(path)  # Sensitive

os.execl(path, *params)  # Sensitive
os.execle(path, *params, env)  # Sensitive
os.execlp(file, *params)  # Sensitive
os.execlpe(file, *params, env)  # Sensitive
os.execv(path, params)  # Sensitive
os.execve(path, params, env)  # Sensitive
os.execvp(file, params)  # Sensitive
os.execvpe(file, params, env)  # Sensitive

Python 2

import os
import popen2

cmd = "ls -l"
mode = "r"
(_, child_stdout) = os.popen2(cmd, mode)  # Sensitive
(_, child_stdout, _) = os.popen3(cmd, mode)  # Sensitive
(_, child_stdout) = os.popen4(cmd, mode)  # Sensitive

(child_stdout, _) = popen2.popen2(cmd)  # Sensitive
(child_stdout, _, _) = popen2.popen3(cmd)  # Sensitive
(child_stdout, _) = popen2.popen4(cmd)  # Sensitive

See