Conversation
|
Great job, no security vulnerabilities found in this Pull Request |
|
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
|
||
| def execute_cmd_str_direct(name): | ||
| """convert to list""" | ||
| subprocess.run(f"echo 'Hello, {name}!'", shell=True) |
There was a problem hiding this comment.
Command Injection fix is ready
This change fixes a high severity (🚩) Command Injection issue reported by Semgrep.
Issue description
Command Injection (CMDI) allows attackers inject malicious commands into vulnerable applications, that can result in execution of arbitrary commands on the underlying operating system.
Fix instructions
Validate or sanitize user input to prevent executing arbitrary commands.
diff --git a/src/main.py b/src/main.py
--- a/src/main.py
+++ b/src/main.py
@@ -3,7 +3,7 @@
def execute_cmd_str_direct(name):
"""convert to list"""
- subprocess.run(f"echo 'Hello, {name}!'", shell=True)
+ subprocess.run(['echo', f'Hello, {name}!'], shell=True)
def execute_cmd_str_var(name):
"""convert var to list"""
|
|
||
| def execute_cmd_list_direct(name): | ||
| """already a safe list, fp""" | ||
| subprocess.run(["echo", f"Hello, {name}!"], shell=True) |
There was a problem hiding this comment.
Irrelevant issues were spotted - no action required 🧹
The following issues reported by Semgrep on this PR were found to be irrelevant to your project:
Tip
Command Injection - issue was found to be a false positive.
Mobb recommends to ignore this issue, however fix is available if you think differently.
Justification
The flagged code does not represent an actual vulnerability within the application’s context. This categorization indicates that the issue is either misidentified by the scanner or deemed irrelevant to the application’s functionality.
Issue description
Command Injection (CMDI) allows attackers inject malicious commands into vulnerable applications, that can result in execution of arbitrary commands on the underlying operating system.
| """convert var to list""" | ||
| base_command = "echo" | ||
| the_cmd = base_command + f"'Hello, {name}!'" | ||
| subprocess.run(the_cmd, shell=True) |
There was a problem hiding this comment.
Command Injection fix is ready
This change fixes a high severity (🚩) Command Injection issue reported by Semgrep.
Issue description
Command Injection (CMDI) allows attackers inject malicious commands into vulnerable applications, that can result in execution of arbitrary commands on the underlying operating system.
Fix instructions
Validate or sanitize user input to prevent executing arbitrary commands.
diff --git a/src/main.py b/src/main.py
--- a/src/main.py
+++ b/src/main.py
@@ -21,7 +21,7 @@
def execute_cmd_str_var_concat(name):
"""convert var to list"""
base_command = "echo"
- the_cmd = base_command + f"'Hello, {name}!'"
+ the_cmd = [base_command, f"Hello, {name}!"]
subprocess.run(the_cmd, shell=True)
def execute_cmd_str_var_with_other_usages(name):
| def execute_cmd_list_var(name): | ||
| """already a safe list, fp""" | ||
| the_cmd = ["echo", f"Hello, {name}!"] | ||
| subprocess.run(the_cmd, shell=True) |
There was a problem hiding this comment.
Irrelevant issues were spotted - no action required 🧹
The following issues reported by Semgrep on this PR were found to be irrelevant to your project:
Tip
Command Injection - issue was found to be a false positive.
Mobb recommends to ignore this issue, however fix is available if you think differently.
Justification
The flagged code does not represent an actual vulnerability within the application’s context. This categorization indicates that the issue is either misidentified by the scanner or deemed irrelevant to the application’s functionality.
Issue description
Command Injection (CMDI) allows attackers inject malicious commands into vulnerable applications, that can result in execution of arbitrary commands on the underlying operating system.
| def execute_cmd_str_var(name): | ||
| """convert var to list""" | ||
| the_cmd = f"echo 'Hello, {name}!'" | ||
| subprocess.run(the_cmd, shell=True) |
There was a problem hiding this comment.
Command Injection fix is ready
This change fixes a high severity (🚩) Command Injection issue reported by Semgrep.
Issue description
Command Injection (CMDI) allows attackers inject malicious commands into vulnerable applications, that can result in execution of arbitrary commands on the underlying operating system.
Fix instructions
Validate or sanitize user input to prevent executing arbitrary commands.
diff --git a/src/main.py b/src/main.py
--- a/src/main.py
+++ b/src/main.py
@@ -7,7 +7,7 @@
def execute_cmd_str_var(name):
"""convert var to list"""
- the_cmd = f"echo 'Hello, {name}!'"
+ the_cmd = ['echo', f'Hello, {name}!']
subprocess.run(the_cmd, shell=True)
def execute_cmd_str_var_multi_line(name):
1 participant
No description provided.