Skip to content

Add files via upload #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
antonychiu2 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add files via upload #10

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
97 changes: 97 additions & 0 deletions src/main.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
import subprocess
import sys

def execute_cmd_str_direct(name):
"""convert to list"""
subprocess.run(f"echo 'Hello, {name}!'", shell=True)
Copy link

@github-actions github-actions bot Apr 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

image Command Injection fix is ready

This change fixes a high severity (🚩) Command Injection issue reported by Semgrep.

Issue description

Command Injection (CMDI) allows attackers inject malicious commands into vulnerable applications, that can result in execution of arbitrary commands on the underlying operating system.

Fix instructions

Validate or sanitize user input to prevent executing arbitrary commands.

diff --git a/src/main.py b/src/main.py
--- a/src/main.py
+++ b/src/main.py
@@ -3,7 +3,7 @@
 
 def execute_cmd_str_direct(name):
     """convert to list"""
-    subprocess.run(f"echo 'Hello, {name}!'", shell=True)
+    subprocess.run(['echo', f'Hello, {name}!'], shell=True)
 
 def execute_cmd_str_var(name):
     """convert var to list"""


Learn more and fine tune the fix


def execute_cmd_str_var(name):
"""convert var to list"""
the_cmd = f"echo 'Hello, {name}!'"
subprocess.run(the_cmd, shell=True)
Copy link

@github-actions github-actions bot Apr 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

image Command Injection fix is ready

This change fixes a high severity (🚩) Command Injection issue reported by Semgrep.

Issue description

Command Injection (CMDI) allows attackers inject malicious commands into vulnerable applications, that can result in execution of arbitrary commands on the underlying operating system.

Fix instructions

Validate or sanitize user input to prevent executing arbitrary commands.

diff --git a/src/main.py b/src/main.py
--- a/src/main.py
+++ b/src/main.py
@@ -7,7 +7,7 @@
 
 def execute_cmd_str_var(name):
     """convert var to list"""
-    the_cmd = f"echo 'Hello, {name}!'"
+    the_cmd = ['echo', f'Hello, {name}!']
     subprocess.run(the_cmd, shell=True)
 
 def execute_cmd_str_var_multi_line(name):


Learn more and fine tune the fix


def execute_cmd_str_var_multi_line(name):
"""convert var to list"""
the_cmd = f"echo 'Hello, {name}!' " \
"a very long command" \
"with multiple lines" \
"finish with" + name
subprocess.run(the_cmd, shell=True)

def execute_cmd_str_var_concat(name):
"""convert var to list"""
base_command = "echo"
the_cmd = base_command + f"'Hello, {name}!'"
subprocess.run(the_cmd, shell=True)
Copy link

@github-actions github-actions bot Apr 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

image Command Injection fix is ready

This change fixes a high severity (🚩) Command Injection issue reported by Semgrep.

Issue description

Command Injection (CMDI) allows attackers inject malicious commands into vulnerable applications, that can result in execution of arbitrary commands on the underlying operating system.

Fix instructions

Validate or sanitize user input to prevent executing arbitrary commands.

diff --git a/src/main.py b/src/main.py
--- a/src/main.py
+++ b/src/main.py
@@ -21,7 +21,7 @@
 def execute_cmd_str_var_concat(name):
     """convert var to list"""
     base_command = "echo"
-    the_cmd = base_command + f"'Hello, {name}!'"
+    the_cmd = [base_command, f"Hello, {name}!"]
     subprocess.run(the_cmd, shell=True)
 
 def execute_cmd_str_var_with_other_usages(name):


Learn more and fine tune the fix


def execute_cmd_str_var_with_other_usages(name):
"""cannot change the type of the_cmd, so no fix"""
the_cmd = f"echo 'Hello, {name}!'"
subprocess.run(the_cmd, shell=True)
return the_cmd

def execute_cmd_list_direct(name):
"""already a safe list, fp"""
subprocess.run(["echo", f"Hello, {name}!"], shell=True)
Copy link

@github-actions github-actions bot Apr 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

image Irrelevant issues were spotted - no action required 🧹

The following issues reported by Semgrep on this PR were found to be irrelevant to your project:

Tip

Command Injection - issue was found to be a false positive.
Mobb recommends to ignore this issue, however fix is available if you think differently.

Justification

The flagged code does not represent an actual vulnerability within the application’s context. This categorization indicates that the issue is either misidentified by the scanner or deemed irrelevant to the application’s functionality.

Issue description

Command Injection (CMDI) allows attackers inject malicious commands into vulnerable applications, that can result in execution of arbitrary commands on the underlying operating system.

Learn more and fine tune the issue


def execute_cmd_list_var(name):
"""already a safe list, fp"""
the_cmd = ["echo", f"Hello, {name}!"]
subprocess.run(the_cmd, shell=True)
Copy link

@github-actions github-actions bot Apr 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

image Irrelevant issues were spotted - no action required 🧹

The following issues reported by Semgrep on this PR were found to be irrelevant to your project:

Tip

Command Injection - issue was found to be a false positive.
Mobb recommends to ignore this issue, however fix is available if you think differently.

Justification

The flagged code does not represent an actual vulnerability within the application’s context. This categorization indicates that the issue is either misidentified by the scanner or deemed irrelevant to the application’s functionality.

Issue description

Command Injection (CMDI) allows attackers inject malicious commands into vulnerable applications, that can result in execution of arbitrary commands on the underlying operating system.

Learn more and fine tune the issue


def execute_cmd_list_var_concat(name):
"""already a safe list, fp"""
the_cmd = ["echo", f"Hello, {name}!"] + ["a", "b"]
subprocess.run(the_cmd, shell=True)

def execute_cmd_list_var_first_element_is_vuln(name):
"""no fix since the first element is vuln"""
the_cmd = [f"{name}", f"Hello, {name}!"]
subprocess.run(the_cmd, shell=True)

def execute_cmd_unknown_var(the_cmd):
"""no fix since the_cmd is unknown"""
subprocess.run(the_cmd, shell=True)

def execute_cmd_unknown_var2(name):
"""no fix since the_cmd is unknown"""
the_cmd = _get_cmd(name)
subprocess.run(the_cmd, shell=True)

def _get_cmd(name):
return f"echo 'Hello, {name}!'"


def execute_cmd_str_var_with_several_assignments(name):
"""cannot change the type of the_cmd, to avoid breaking other usages"""
the_cmd = f"echo 'Hello, {name}!'"
the_cmd = f"echo 'Welcome, {name}!'"
subprocess.run(the_cmd, shell=True)

some_global_cmd = "cmd"
subprocess.run(some_global_cmd, shell=True)

def execute_cmd_global_var():
"""no fix since some_global_cmd is unknown"""
subprocess.run(some_global_cmd, shell=True)

def execute_cmd_global_var2(name):
"""no fix since some_global_cmd is unknown"""
subprocess.run(some_global_cmd, shell=True)
some_global_cmd = f"echo 'Hello, {name}!'" # must not fix this string

if __name__ == "__main__":
execute_cmd_str_direct(sys.argv[1])
execute_cmd_str_var(sys.argv[1])
execute_cmd_str_var_multi_line(sys.argv[1])
execute_cmd_str_var_concat(sys.argv[1])
execute_cmd_str_var_with_other_usages(sys.argv[1])
execute_cmd_list_direct(sys.argv[1])
execute_cmd_list_var(sys.argv[1])
execute_cmd_list_var_concat(sys.argv[1])
execute_cmd_list_var_first_element_is_vuln(sys.argv[1])
execute_cmd_unknown_var(sys.argv[1])
execute_cmd_unknown_var2(sys.argv[1])
execute_cmd_str_var_with_several_assignments(sys.argv[1])
execute_cmd_global_var()
execute_cmd_global_var2(sys.argv[1])
Loading