Common python Command Injection threats

Ah! It's not as serious as the title says!

However, the following are some bloody cases in the early stages of our product development. For more security threats, refer to the python hack PPT from Beibei, which mentions not only command execution threats, these are the code we have experienced.

Remember not to trust other input data when executing commands. Since you are aware of the problem, there are a variety of solutions.

In our system, it is unreliable to have multiple problems and then repair and make-up. Therefore, we need a general security execution interface, which will be updated later.

In addition, when developing new features, we also need to master standardized security programming skills, these skills are not limited to command execution security.

To sum up, there are several elements:

• Do not concatenate input parameters for command execution strings. If you want to splice them, you must filter the input parameters by whitelist.
• You must perform type verification on the input parameters. For example, if you know that the input parameters are numeric, testing the int type will be much safer.
• Splicing strings must be strict, for example, int-type parameter concatenation. % d or % s should be used for parameters.
• Use subprocess to input multiple parameters to prevent Command Line injection

Take the bug in our previous Code (the latest version =, = Time-out migration) as a tutorial:

Example 1 (variables are not filtered ):

A. py

The site variable is actually a url-formatted string that is not filtered. Because there is no problem with the site format in the old version, the new version supports the url format, you can input various symbols.

Copy codeThe Code is as follows:
Cmd = 'python/a. py -- task_id = % s -- site = % s-B '% (taski, site)

Example 2 (unreliable filtering ):

Util/update. py

Although the downloadFile function uses Filtering for fileName, there are many bypass methods.

There are many command separation methods in linux, and the blacklist method is unreliable.

Copy codeThe Code is as follows:
FileName = downloadInfo [0]
FileName = fileName. replace (';', ''). replace ('&','') # filter file names
LocalMd5 = OS. popen ('md5sum % s % s' % (path, fileName). read ()

The solution is to check the whitelist format of fileName. For example, only characters and numbers are allowed ..

Example 3 (Insecure formatted string ):

B. py

Target is a url-formatted string that is not filtered. There are also potential threats. deep uses % s. In fact, it must be an int and % d is used. If there is a chance to infect the deep variable in the future, it will be xxoo.

Copy codeThe Code is as follows:
Cmd = 'python B. py -- task_id "% s"-s % s -- deep % s -- check_level % s-B '% (taski, target, deep, check_level)

Example 4 (Command Injection not available ):

C. py

Site_report function. The tid parameter is not formatted and cannot be used because there is a statement for querying the database:

Get_object_or_404 (Task, get_domain_query (request), id = tid) # Here, tid with special characters cannot be found, so it is changed to 404. Currently, cmd splicing in the following section is protected.

Once this statement is changed, a new command injection vulnerability will occur.

Cmd = 'sh/opt/report % s>/tmp/export_report.log 2> & 1' % tid