-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sandbox Process Creation #1799
Sandbox Process Creation #1799
Conversation
pyproject.toml
Outdated
@@ -14,6 +14,7 @@ classifiers = [ | |||
|
|||
[tool.poetry.dependencies] | |||
python = ">=3.11,<3.13" | |||
security = "==1.2.1" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This library holds security tools for protecting Python API calls.
License: MIT ✅ Open Source ✅ More facts
Important Review skippedBot user detected. To trigger a single review, invoke the You can disable this status message by setting the Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (invoked as PR comments)
Additionally, you can add CodeRabbit Configration File (
|
…-24-pixee-python/sandbox-process-creation
@pixeebot, this change is causing issues with mypy like:
does the python |
@burnettk thank you very much for the feedback! The |
For example, you can see the type annotations here: https://github.com/pixee/python-security/blob/6256809dac1c45530e5eeef8b48032a2bbd6b7d6/src/security/safe_command/api.py#L126-L138 |
@drdavella , thank you. |
@drdavella in security lib api.py, is the |
Hi @burnettk, no that looks like a leftover from debugging/development. I'll fix it and release a bugfix. |
confirmed fixed in 1.3.1 |
This codemod sandboxes all instances of subprocess.run and subprocess.call to offer protection against attack.
Left unchecked,
subprocess.run
andsubprocess.call
can execute any arbitrary system command. If an attacker can control part of the strings used as program paths or arguments, they could execute arbitrary programs, install malware, and anything else they could do if they had a shell open on the application host.Our change introduces a sandbox which protects the application:
The default
safe_command
restrictions applied are the following:safe_command
functions attempt to parse the given command, and throw aSecurityException
if multiple commands are present./etc/passwd
, so the sandbox prevents arguments that point to these files that may be targets for exfiltration.There are more options for sandboxing if you are interested in locking down system commands even more.
Dependency Updates
This codemod relies on an external dependency. We have automatically added this dependency to your project's
pyproject.toml
file.This library holds security tools for protecting Python API calls.
There are a number of places where Python project dependencies can be expressed, including
setup.py
,pyproject.toml
,setup.cfg
, andrequirements.txt
files. If this change is incorrect, or if you are using another packaging system such aspoetry
, it may be necessary for you to manually add the dependency to the proper location in your project.More reading
🧚🤖 Powered by Pixeebot
Feedback | Community | Docs | Codemod ID: pixee:python/sandbox-process-creation