Subprocess with Non-Absolute Paths
Description
The use of subprocess with non-absolute executable paths may lead to unexpected behavior, potentially allowing an attacker to execute arbitrary commands.
Examples
Insecure Code
python
subprocess.Popen('relative/path/to/executable', shell=False)Secure Code
python
subprocess.Popen('/absolute/path/to/executable', shell=False)Remediation
Use absolute paths for executables in subprocess calls.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0267 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-78 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | injection, path traversal |
| OWASP | A03:2021-Injection |