Python Command Injection Via User Input
Description
Detects command injection vulnerabilities in Python applications using the Paramiko SSH library. The vulnerability occurs when user-controlled input is passed directly to Paramiko's remote command execution methods (exec_command or invoke_shell), allowing an attacker to inject arbitrary commands that will be executed on the remote system.
Detection Strategy
• Check if the Paramiko library is imported in the Python code
• Look for calls to Paramiko's dangerous methods: invoke_shell() or exec_command()
• Verify the SSH client object is created with potentially unsafe parameters
• Check if the command/input parameter passed to these methods comes from an untrusted source
• Additionally detect unsafe uses of invoke_shell().send() method with untrusted input
• Report a vulnerability when untrusted input flows into any of these dangerous Paramiko command execution methods
Vulnerable code example
from flask import Flask, request
import paramiko
app = Flask(__name__)
@app.route("/cmd")
def cmd():
user_input = request.args.get("cmd", "")...✅ Secure code example
from flask import Flask, request, jsonify
import paramiko
import re
app = Flask(__name__)
@app.route("/cmd")
def cmd():...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.