Comment by akdev1l
7 days ago
Yes, in this specific use case you need a shell.
But that’s the same as saying you technically need SQL injection so that `psql -c 'command'` can work
> you cannot simulate all of this with command vector
Uhh, yes we can just call a shell:
subprocess.run(["bash", "-c", data_handler])
As a bonus this way we get control of which shell is being used and I find it is more explicit so I prefer it
> subprocess.run(["bash",
Not the same thing, this is vulnerable to $PATH interception. You can hardcode the path to bash to avoid that but there's no guarantee that it'll always be there. system() on the other hand is guaranteed to run the operating system's command interpreter.
Yes the user controls the path and in the example provided they could just call whatever command they want anyway
This doesn’t give the attacker any access that they wouldn’t have.
Also you can just clobber the “PATH” variable if it is so inclined.
> system() on the other hand is guaranteed to run the operating system’s command intepreter
Yeah that just it is means less predictable.
Please show me python programs which support the pattern shown by the parent post and which actually work when running under powershell. (Or Oil shell or any other non-POSIX shell)
Aside: `/bin/sh` is guaranteed to exist by POSIX
> `/bin/sh` is guaranteed to exist by POSIX
Quite the contrary
> Applications should note that the standard PATH to the shell cannot be assumed to be either /bin/sh or /usr/bin/sh, and should be determined by interrogation of the PATH returned by getconf PATH,ensuring that the returned pathname is an absolute pathname and not a shell built-in.
https://pubs.opengroup.org/onlinepubs/9799919799/utilities/s...
The very thing TFA complains about.
Do you think using `psql -c "SELECT 1"` is actually doing sql injection?
Because yeah if your program provides “invoking the shell as a feature” then it sure as fuck needs to invoke the shell. I was just replying to this far-fetched example.
By the way, I think it is still better to do this than calling system because if I read “run([bash” I know the developer meant to do this explicitly. If I read “system()” then I’m probably gonna assume they were just lazy and probably didn’t even know about the extra shell being invoked. (I also said this in my previous comment, please read before replying)