Command Execution

cffi calls C libraries without writing a C extension. FFI.dlopen() loads a shared library at runtime — code-execution sink on user-controlled path. FFI.cdef parses C declarations — neutral unless the definitions are user-controlled.

The ctypes module for calling C libraries. LoadLibrary / CDLL on user-controlled paths loads arbitrary code — code-execution sink. String pointer operations can also be memory-safety findings.

The docker SDK. DockerClient.containers.run with privileged=True is a container-escape finding. volumes mounting /var/run/docker.sock into the container grants full Docker daemon access.

Python stdlib module — fcntl. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

The os standard library module. os.system() and os.popen() always invoke a shell and are injection sinks. os.exec* variants avoid the shell but are still sinks for the program path. Environment accessors (os.environ, os.getenv) are sources.

pexpect spawns interactive subprocesses with expect/respond patterns. spawn(cmd, ...) on user-controlled cmd is a command-injection sink, equivalent to subprocess with shell=True.

Python stdlib module — pty. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

The shlex module provides shell-compatible tokenization and quoting. shlex.quote is the canonical sanitizer for shell=True command construction. shlex.split is safer than splitting yourself, but quote is what protects against shell-metacharacter injection.

Python stdlib module — signal. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

The subprocess standard library module for spawning child processes. Most call APIs accept either a list[str] (safe) or a string with shell=True (command-injection sink when the string contains user input).