Popen([..], shell=True, [..]) can be avoided and may be exploitable (command injection)

firatkiral / pypeek

Peek screen recorder and screenshot with annotations

GNU General Public License v3.0

228 stars 8 forks source link

Closed hartwork closed 1 year ago

hartwork commented 1 year ago

Hi!

I found this code: https://github.com/firatkiral/pypeek/blob/ac94d6a21d56a9712db92192374cf73fdff1dacb/src/pypeek/main.py#L1049-L1058 If any of the variables going systemcall can be controlled by an attacker, then this is a command injection vulnerability. Either way, I would resolve needless(?) shell=True here and build a list to call that command, not a flat string.

Thanks, Sebastian

firatkiral commented 1 year ago

@hartwork thank you, looking...

hartwork commented 1 year ago

@firatkiral found 870cd315de1fc928654233e309e102ddab48cc8a about it now, very nice, thank you! :+1: