Improper control of generation of code ('Code Injection')
Description
The application is calling the `logging.config.listen` function, which provides the ability to listen for external configuration files over a socket server. This listen socket parses part of the configuration and calls `eval` on the supplied configuration file. A local user, or an adversary who is able to exploit a Server Side Request Forgery (SSRF) attack to communicate over localhost, would be able to execute arbitrary code by passing in a logging config that contains python code.
Examples
Insecure Code
python
logging.config.listen((('', 9020), handler)),Secure Code
python
logging.basicConfig(level=logging.INFO)Remediation
Remove the call to `logging.config.listen` method.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0157 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-94 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | code injection, ssrf |
| OWASP | A1:2017-Injection, A03:2021-Injection |