Python's Common Command injection threat _python

ah! In fact, no title said so serious!

But here are some of the gory cases we developed at the beginning of our product, and more security threats can look at North North's Python hack PPT, which mentions not just the threat of command execution, but the code that we have experienced.

Remember that when you execute the command, do not trust other incoming data, and now that you are aware of the problem, there are a variety of ways to fix it.

In our system, there are many problems and tinkering is not reliable, then we need a common security implementation interface, this interface later updated in.

In addition, when we develop new features, we also need to master the code of Safe programming techniques, which are not limited to the security of command execution.

Summed up, is a few elements:

• Command execution string do not go to stitching input parameters, not to splice, to the input parameters of the white list filter
• For incoming parameters must do type verification, for example, know that the digital type, the int test, it will be much safer
• For stitching strings, also strict, such as the int type parameter stitching, for parameters to use%d, do not%s.
• Use subprocess to pass in multiple parameters to prevent command line injection

Take a tutorial on the bugs that existed in our previous code (which was the latest version of =,=):

Example 1 (variable not filtered):

a.py

The site variable is actually a string of URL formats, unfiltered. Since the site format is not a problem in the old version, the new version supports the URL format and can be passed into various symbols.

Copy Code code as follows:

cmd = ' python/a.py--task_id=%s--site=%s-b '% (Taski, site)

Example 2 (insecure filtering):

util/update.py

The DownloadFile function uses filtering for filename, but there are many ways around it.

There are so many command-separated methods on Linux that the Blacklist method is not secure.

Copy Code code as follows:

FileName = downloadinfo[0]
FileName = Filename.replace ('; ', ', '). Replace (' & ', ') #过滤文件名
LOCALMD5 = Os.popen (' md5sum%s%s '% (path,filename)). Read ()

The fix is to have a whitelist format check for filename, for example, only character numbers are allowed and ...

Example 3 (unsafe format string):

b.py

Target is a string in URL format, unfiltered. And there are potential threats, deep use of%s, in fact it must be an int, use%d is right, if there is a chance to infect deep variable, then xxoo.

Copy Code code as follows:

cmd = ' python b.py--task_id '%s '-s%s--deep%s--check_level%s-b '% (taski,target,deep,check_level)

Example 4 (a command injection that cannot be exploited):

c.py

Site_report function, tid parameter is not formatted, is currently unavailable because there is a query database statement:

get_object_or_404 (Task, Get_domain_query (Request), Id=tid) #这里会让带了特殊符号的tid查不到记录, so it becomes 404, temporarily protects the cmd stitching located below.

Once the statement is changed, a new command injection vulnerability is caused

cmd = ' sh/opt/report%s >/tmp/export_report.log 2>&1 '% tid