sdk/python/Command Execution/PyPexpect

PyPexpect

pexpect spawns interactive subprocesses with expect/respond patterns. spawn(cmd, ...) on user-controlled cmd is a command-injection sink, equivalent to subprocess with shell=True.

2 sinks

Taint flow0 sources → 2 sinks

Sinks — dangerous call

.spawn()Spawns a child process

.run()Runs a command and returns output

Sinks

— dangerous functions taint must not reach

.spawn()Sink

Signature

pexpect.spawn(command, args=[], timeout=30, ...) -> spawn

Spawns a child process. Command-injection sink on user-controlled command.

tracks:0

.run()Sink

Signature

pexpect.run(command, timeout=30, events=None, extra_args=None, logfile=None, ...) -> bytes

Runs a command and returns output. Sink on user-controlled command.

tracks:0

Fully-Qualified Names

FQN	Field
pexpect	fqns[0]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py

from codepathfinder.go_rule import PyPexpect

← PreviousPyOS

Next →PyPty