Skip to content

Latest commit

 

History

History
29 lines (18 loc) · 553 Bytes

PAR101.md

File metadata and controls

29 lines (18 loc) · 553 Bytes

PAR101

Unquoted inputs to paramiko exec_command() can leave the remote host vulnerable to shell injection.

Applies to :

  • SSHClient.exec_command()
  • Channel.exec_command()

Notes

  • String literals are ok
  • Call expressions or reference expressions are treated as "unsafe" unless escaped

Quick Fixes

Fixes

Use shlex.quote surrounding any input, e.g.

import paramiko
import shlex

client = paramiko.SSHClient(...)
ret = client.exec_command(shlex.quote(input))