Python Command Injection Concat String
Description
Detects potential OS command injection vulnerabilities in Python code where user-controlled input could be passed to dangerous system command execution functions like os.system() or subprocess methods. These vulnerabilities allow attackers to execute arbitrary system commands by injecting malicious shell commands into application parameters.
Detection Strategy
• Identifies imports of 'os' or 'subprocess' modules in Python code
• Checks for calls to high-risk functions: os.system() and subprocess module methods (like run, Popen, call)
• Analyzes if the command string passed to these functions is constructed using concatenation or string formatting with user-controlled input
• Reports a vulnerability when command execution functions receive dynamically constructed strings rather than static command strings
Vulnerable code example
from django.http import HttpRequest, HttpResponse
from django.views.decorators.csrf import csrf_exempt
@csrf_exempt
def vulnerable_view(request: HttpRequest) -> HttpResponse:
hostname = request.POST.get("hostname", "localhost")
# VULNERABLE: shell=True with unescaped user input enables command injection
import subprocess...✅ Secure code example
from django.http import HttpRequest, HttpResponse
from django.views.decorators.http import require_http_methods
import subprocess
import re
@require_http_methods(["POST"])
def secure_view(request: HttpRequest) -> HttpResponse:
hostname = request.POST.get("hostname", "localhost")...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.