>/iSrSSKrSSKJr SSKJr SSKJr \Rr\R"S5\R"S5\R"S5S 555r g) aG ======================================== B609: Test for use of wildcard injection ======================================== Python provides a number of methods that emulate the behavior of standard Linux command line utilities. Like their Linux counterparts, these commands may take a wildcard "\*" character in place of a file system path. This is interpreted to mean "any and all files or folders" and can be used to build partially qualified paths, such as "/home/user/\*". The use of partially qualified paths may result in unintended consequences if an unexpected file or symlink is placed into the path location given. This becomes particularly dangerous when combined with commands used to manipulate file permissions or copy data off of a system. This test plugin looks for usage of the following commands in conjunction with wild card parameters: - 'chown' - 'chmod' - 'tar' - 'rsync' As well as any method configured in the shell or subprocess injection test configurations. **Config Options:** This plugin test shares a configuration with others in the same family, namely `shell_injection`. This configuration is divided up into three sections, `subprocess`, `shell` and `no_shell`. They each list Python calls that spawn subprocesses, invoke commands within a shell, or invoke commands without a shell (by replacing the calling process) respectively. This test will scan parameters of all methods in all sections. Note that methods are fully qualified and de-aliased prior to checking. .. code-block:: yaml shell_injection: # Start a process using the subprocess module, or one of its wrappers. subprocess: - subprocess.Popen - subprocess.call # Start a process with a function vulnerable to shell injection. shell: - os.system - os.popen - popen2.Popen3 - popen2.Popen4 - commands.getoutput - commands.getstatusoutput # Start a process with a function that is not vulnerable to shell injection. no_shell: - os.execl - os.execle :Example: .. code-block:: none >> Issue: Possible wildcard injection in call: subprocess.Popen Severity: High Confidence: Medium CWE-78 (https://cwe.mitre.org/data/definitions/78.html) Location: ./examples/wildcard-injection.py:8 7 o.popen2('/bin/chmod *') 8 subp.Popen('/bin/chown *', shell=True) 9 >> Issue: subprocess call - check for execution of untrusted input. Severity: Low Confidence: High CWE-78 (https://cwe.mitre.org/data/definitions/78.html) Location: ./examples/wildcard-injection.py:11 10 # Not vulnerable to wildcard injection 11 subp.Popen('/bin/rsync *') 12 subp.Popen("/bin/chmod *") .. seealso:: - https://security.openstack.org - https://en.wikipedia.org/wiki/Wildcard_character - https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt - https://cwe.mitre.org/data/definitions/78.html .. versionadded:: 0.9.0 .. versionchanged:: 1.7.3 CWE information added N)issue)test_properties)injection_shellshell_injectionCallB609c xSU;aSU;dg/SQnURUS;d+URUS;GaURSS5(aURS:aURS5nSn[ U[ 5(aUH nUSU3- nM O[ U[ 5(aUnUS:waUHznXd;dM S U;dM[R"[R[R[RRS UR-URS5S 9s $ ggggg) Nshell subprocess)chownchmodtarrsyncTruer *z'Possible wildcard injection in call: %s)severity confidencecwetextlineno)call_function_name_qualcheck_call_arg_valuecall_args_countget_call_arg_at_position isinstanceliststrbanditIssueHIGHMEDIUMrCwe IMPROPER_WILDCARD_NEUTRALIZATIONget_lineno_for_call_arg)contextconfigvulnerable_funcs call_argumentargument_stringlivulnerable_funcs [/home/james-whalen/.local/lib/python3.13/site-packages/bandit/plugins/injection_wildcard.py!linux_commands_wildcard_injectionr0ns0 v ,&"89&&&/9''6,+??  ( (& 9 9  " "a '#<#*#B#B7#K   (8% ( : @) __doc__r! bandit.corerrtestbandit.pluginsr gen_config takes_configcheckstest_idr0r1r/r;sg `B/*  ' ' $%Vf&r1