B601: paramiko_calls
B601: Test for shell injection within Paramiko
Paramiko is a Python library designed to work with the SSH2 protocol for secure (encrypted and authenticated) connections to remote machines. It is intended to run commands on a remote host. These commands are run within a shell on the target and are thus vulnerable to various shell injection attacks. Bandit reports a MEDIUM issue when it detects the use of Paramiko’s “exec_command” method advising the user to check inputs are correctly sanitized.
- Example:
>> Issue: Possible shell injection via Paramiko call, check inputs are
properly sanitized.
Severity: Medium Confidence: Medium
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
Location: ./examples/paramiko_injection.py:4
3 # this is not safe
4 paramiko.exec_command('something; really; unsafe')
5
See also
Added in version 0.12.0.
Changed in version 1.7.3: CWE information added