search

escaped / django-video-encoding

django-video-encoding helps to convert your videos into different formats and resolutions.
BSD 3-Clause "New" or "Revised" License
116 stars 45 forks source link

bandit insecure code analyzer issues #20

Closed lifenautjoe closed 3 years ago

lifenautjoe commented 5 years ago

Hi!

Ran the security linter bandit ( https://pypi.org/project/bandit/ ) through this package and found 2 issues that might be worth looking into 

Run started:2019-09-11 11:53:54.804266

Test results:
>> Issue: [B404:blacklist] Consider possible security implications associated with PIPE module.
   Severity: Low   Confidence: High
   Location: ./video_encoding/backends/ffmpeg.py:7
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess
6   import tempfile
7   from subprocess import PIPE, Popen
8   
9   import six

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   Location: ./video_encoding/backends/ffmpeg.py:66
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html
65              return Popen(
66                  cmds, shell=False,
67                  stdin=PIPE, stdout=PIPE, stderr=PIPE,
68                  close_fds=True,
69              )
70          except OSError as e:

--------------------------------------------------

Code scanned:
    Total lines of code: 22531
    Total lines skipped (#nosec): 1

Run metrics:
    Total issues (by severity):
        Undefined: 0.0
        Low: 2.0
        Medium: 0.0
        High: 0.0
    Total issues (by confidence):
        Undefined: 0.0
        Low: 0.0
        Medium: 0.0
        High: 2.0
Files skipped (0):
Exited with code 1
escaped commented 3 years ago

hey @lifenautjoe ,

thanks for the report :) after having a second look I realised, that this "can't" be avoided, since we have to use the subprocess module in order to be able to call ffmpeg.

lifenautjoe commented 2 years ago

Hi @escaped , sorry for the late reply but we could avoid this by sanitising the allowed parameters that can be run and the filenames.

Right now, with a malicious filename, I can get code execution in the video processing machine.

lifenautjoe commented 2 years ago

actually, we can fix all this by using this wrapper library instead of using subprocess directly.

https://github.com/kkroening/ffmpeg-python

It sanitizes input and restricts possible params.