Subprocess call with untrusted argument
Description
The subprocess call includes dynamic or potentially untrusted argument values, which can lead to command injection attacks.
Examples
Insecure Code
python
subprocess.run(['ls', user_input])Secure Code
python
subprocess.run(['ls', '--', user_input])Remediation
Validate and sanitize all user-influenced input before passing it to subprocess calls.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0268 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-78 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | command injection, user input validation |
| OWASP | A03:2021-Injection |