Command Execution

PyPexpect

pexpect spawns interactive subprocesses with expect/respond patterns. spawn(cmd, ...) on user-controlled cmd is a command-injection sink, equivalent to subprocess with shell=True.

2 sinks
Taint flow0 sources 2 sinks
Sinks — dangerous call
.spawn()
.run()

Sinks

.spawn()Sink
#
Signature
pexpect.spawn(command, args=[], timeout=30, ...) -> spawn

Spawns a child process. Command-injection sink on user-controlled command.

tracks:0
.run()Sink
#
Signature
pexpect.run(command, timeout=30, events=None, extra_args=None, logfile=None, ...) -> bytes

Runs a command and returns output. Sink on user-controlled command.

tracks:0

Fully-Qualified Names

FQNField
pexpectfqns[0]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py
from codepathfinder.go_rule import PyPexpect