Skip to content

Latest commit

 

History

History
37 lines (26 loc) · 1.02 KB

DUO105.md

File metadata and controls

37 lines (26 loc) · 1.02 KB

DUO105

This linter searches for use of the built-in exec function. This function commonly allows for arbitrary code execution bugs when combined with user input.

Problematic code

malicious_user_input = 'open("/etc/passwd", "w").write("bad data")'

exec(malicious_user_input)

Correct code

def touch_file():
    # Constant argument
    exec('open("/path/to/filename", "w").write("")')

Rationale

Arbitrary code execution allows an attacker to perform any action within the context of the system the bug is found. E.g. open a reverse shell to a system of their choosing, install malware by downloading and running a payload, silently log actions performed on the victim system, etc.

Arbitrary code execution bugs are effectively the keys to the castle. We'd like to avoid using the above function because it commonly allows for these types of bugs.

Exceptions

  • Code may be safe if data passed to exec contains no user input
  • Code may be safe if data passed to exec is a constant string