CodeQL library for Python
codeql/python-all 2.2.1-dev (changelog, source)
Search

Module UnsafeShellCommandConstruction

Module containing sources, sinks, and sanitizers for shell command constructed from library input.

Import path

import semmle.python.security.dataflow.UnsafeShellCommandConstructionCustomizations

Predicates

isUsedAsShellCommand

Holds if the string constructed at source is executed at shellExec

Classes

ArrayJoin

A string constructed using a " ".join(...) call, where the resulting string ends up being executed as a shell command.

Sanitizer

A sanitizer for shell command constructed from library input vulnerabilities.

ShlexQuoteAsSanitizer

A call to shlex.quote, considered as a sanitizer.

Sink

A sink for shell command constructed from library input vulnerabilities.

Source

A source for shell command constructed from library input vulnerabilities.

StringConcatAsSink

A component of a string-concatenation (e.g. "foo " + sink), where the resulting string ends up being executed as a shell command.

StringInterpolationAsSink

A string constructed from a string-literal (e.g. f'foo {sink}'), where the resulting string ends up being executed as a shell command.

TaintedFormatStringAsSink

A string constructed from a format call, where the resulting string ends up being executed as a shell command. Either a call to .format(..) or a string-interpolation with a % operator.

Aliases

TypeTracker

Provides classes and predicates for simple data-flow reachability suitable for tracking types.