Unsanitized input is run as code High

Running scripts generated from unsanitized inputs (for example, evaluating expressions that include user-provided strings) can lead to malicious behavior and inadvertently running code remotely.

Detector ID
python/code-injection@v1.0
Category

Noncompliant example

1from flask import app
2
3
4@app.route('/')
5def execute_input_noncompliant():
6    from flask import request
7    module_version = request.args.get("module_version")
8    # Noncompliant: executes unsanitized inputs.
9    exec("import urllib%s as urllib" % module_version)

Compliant example

1from flask import app
2
3
4@app.route('/')
5def execute_input_compliant():
6    from flask import request
7    module_version = request.args.get("module_version")
8    # Compliant: executes sanitized inputs.
9    exec("import urllib%d as urllib" % int(module_version))