Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential security issue with a possible injection #95

Closed
stationeros opened this issue Aug 22, 2023 · 2 comments · Fixed by #168
Closed

Potential security issue with a possible injection #95

stationeros opened this issue Aug 22, 2023 · 2 comments · Fixed by #168
Assignees
@Madhura-saw
Labels
bug Something isn't working good first issue Good for newcomers hacktoberfest

Comments

@stationeros
Copy link
Contributor

We are using os.system inside install

https://github.com/intuit/Trapheus/blob/master/install.py#L17
https://github.com/intuit/Trapheus/blob/master/install.py#L44

This type of invocation is dangerous as it is vulnerable to various shell injection attacks. Great care should be taken to sanitize all input in order to mitigate this risk. Calls of this type are identified by the use of certain commands which are known to use shells.

Remediation
The subprocess module provides more powerful facilities for spawning new processes and retrieving their results; using that module is preferable to using this function.

Example of secure code:

import subprocess

subprocess.call('/bin/echo suspicious code', shell=False)
@stationeros stationeros added the good first issue Good for newcomers label Aug 22, 2023
@stationeros stationeros added hacktoberfest bug Something isn't working labels Sep 24, 2023
@Madhura-saw
Copy link
Contributor

Could I be assigned to this issue?

@stationeros
Copy link
Contributor Author

Sure , assigned to you

@Madhura-saw Madhura-saw mentioned this issue Oct 2, 2023
Merged
5 tasks
@namitad namitad closed this as completed Oct 3, 2023
@namitad namitad mentioned this issue Oct 10, 2023
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Madhura-saw Madhura-saw

Labels
bug Something isn't working good first issue Good for newcomers hacktoberfest
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fixing possible security issues in install.py intuit/Trapheus
3 participants
@namitad @Madhura-saw @stationeros