Python Subprocess Command Injection
Description
Detects command injection vulnerabilities in Python asyncio subprocess calls. Identifies potentially dangerous uses of shell command execution functions like create_subprocess_shell and subprocess_shell where unsanitized input could allow command injection attacks.
Detection Strategy
• Check if the asyncio library is imported in the Python code
• Identify calls to dangerous shell execution methods: asyncio.create_subprocess_shell or asyncio.subprocess_shell
• Verify if the shell command parameters contain dynamic or user-controlled input that could enable command injection
• Flag vulnerable code patterns where shell commands are constructed using unsanitized or concatenated strings
Vulnerable code example
import asyncio
async def create_archive(user_input):
# VULNERABLE: Unsanitized user input passed directly to shell command
command = f"tar -czf archive.tar.gz {user_input}"
# VULNERABLE: Using create_subprocess_shell executes command via shell
proc = await asyncio.create_subprocess_shell(command)...✅ Secure code example
import asyncio
import shlex
import os.path
async def create_archive(user_input):
# SECURE: Sanitize user input with shlex.quote() to prevent command injection
safe_input = shlex.quote(user_input)
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.