Common command injection threats from python

ah! In fact no title said so serious!

But here are some of the gory cases that we developed early in the product, and more security threats can be seen in north-north classmate's "Python hack" PPT, which mentions not only the threat of command execution, those are our personal experience of the code.

Be sure to remember to execute the command, do not trust the other incoming data on the line, since aware of the problem, then the repair method is various.

In our system, there are many problems and tinkering is not reliable, then we need a common security execution interface, this interface is updated in.

In addition, when developing new features, we also have to master the normative techniques of security programming, which are not limited to command execution security.

Summed up, just a few elements:

• Command execution string do not go to splicing input parameters, do not want to splice the words, to the input parameters of the white list filter
• Be sure to do type checking for incoming parameters, for example, if you know it is a digital type, it will be a lot safer to test Int.
• For splicing strings, also be strict, such as the concatenation of the int type parameter, for the parameter to use%d, do not%s.
• Use subprocess to pass in multiple parameters to prevent command line injection

Take the bug that we used to do the code (which was the latest version of =,=) to do the tutorial:

Example 1 (variable not filtered):

a.py

The site variable is actually a URL-formatted string, unfiltered. Because the site format in the old version does not have the problem, the new version supports the URL format, you can pass the various symbols.

Copy the Code code as follows:

cmd = ' python/a.py--task_id=%s--site=%s-b '% (Taski, site)

Example 2 (unreliable filtering):

util/update.py

Although the DownloadFile function uses filtering for filename, there are many ways to bypass it.

Linux The following command separation method is very many, the Blacklist method is not reliable.

Copy the Code code as follows:

FileName = downloadinfo[0]
FileName = Filename.replace ('; ', '). Replace (' & ', ') #过滤文件名
LOCALMD5 = Os.popen (' md5sum%s%s '% (path,filename)). Read ()

The fix is to check the filename for a white-list format, for example, to allow only characters and numbers to appear.

Example 3 (Unsafe formatted string):

b.py

Target is a URL-formatted string that is unfiltered. And there is a potential threat, deep use of%s, in fact, it must be an int, using%d, if there is a chance to infect deep variables, then Xxoo.

Copy the Code code as follows:

cmd = ' python b.py--task_id '%s '-s%s--deep%s--check_level%s-b '% (taski,target,deep,check_level)

Example 4 (Unable to take advantage of command injection):

c.py

Site_report function, the TID parameter is unformatted and is not currently available because there is a statement that queries the database:

get_object_or_404 (Task, Get_domain_query (Request), Id=tid) #这里会让带了特殊符号的tid查不到记录, so it becomes 404, temporarily protecting the cmd stitching that is located below.

Once the statement is changed, it can result in a new command injection vulnerability

cmd = ' sh/opt/report%s >/tmp/export_report.log 2>&1 '% tid

