Arbitrary OS command injection vulnerabilities are more likely when a shell is spawned rather than a new process, indeed shell meta-chars can be used (when parameters are user-controlled for instance) to inject OS commands.
There is a risk if you answered yes to this question.
Use functions that don't spawn a shell.
Python 3
subprocess.run(cmd, shell=True) # Sensitive subprocess.Popen(cmd, shell=True) # Sensitive subprocess.call(cmd, shell=True) # Sensitive subprocess.check_call(cmd, shell=True) # Sensitive subprocess.check_output(cmd, shell=True) # Sensitive os.system(cmd) # Sensitive: a shell is always spawn
Python 2
cmd = "when a string is passed through these function, a shell is spawn" (_, child_stdout, _) = os.popen2(cmd) # Sensitive (_, child_stdout, _) = os.popen3(cmd) # Sensitive (_, child_stdout) = os.popen4(cmd) # Sensitive (child_stdout, _) = popen2.popen2(cmd) # Sensitive (child_stdout, _, _) = popen2.popen3(cmd) # Sensitive (child_stdout, _) = popen2.popen4(cmd) # Sensitive
Python 3
# by default shell=False, a shell is not spawn subprocess.run(cmd) # Compliant subprocess.Popen(cmd) # Compliant subprocess.call(cmd) # Compliant subprocess.check_call(cmd) # Compliant subprocess.check_output(cmd) # Compliant # always in a subprocess: os.spawnl(mode, path, *cmd) # Compliant os.spawnle(mode, path, *cmd, env) # Compliant os.spawnlp(mode, file, *cmd) # Compliant os.spawnlpe(mode, file, *cmd, env) # Compliant os.spawnv(mode, path, cmd) # Compliant os.spawnve(mode, path, cmd, env) # Compliant os.spawnvp(mode, file, cmd) # Compliant os.spawnvpe(mode, file, cmd, env) # Compliant (child_stdout) = os.popen(cmd, mode, 1) # Compliant (_, output) = subprocess.getstatusoutput(cmd) # Compliant out = subprocess.getoutput(cmd) # Compliant os.startfile(path) # Compliant os.execl(path, *cmd) # Compliant os.execle(path, *cmd, env) # Compliant os.execlp(file, *cmd) # Compliant os.execlpe(file, *cmd, env) # Compliant os.execv(path, cmd) # Compliant os.execve(path, cmd, env) # Compliant os.execvp(file, cmd) # Compliant os.execvpe(file, cmd, env) # Compliant
Python 2
cmdsargs = ("use", "a", "sequence", "to", "directly", "start", "a", "subprocess")
(_, child_stdout) = os.popen2(cmdsargs) # Compliant
(_, child_stdout, _) = os.popen3(cmdsargs) # Compliant
(_, child_stdout) = os.popen4(cmdsargs) # Compliant
(child_stdout, _) = popen2.popen2(cmdsargs) # Compliant
(child_stdout, _, _) = popen2.popen3(cmdsargs) # Compliant
(child_stdout, _) = popen2.popen4(cmdsargs) # Compliant
This rule is deprecated, and will eventually be removed.