In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsLearn about Improper Input Validation vulnerabilities in an interactive lesson.
Start learningUpgrade shlex
to version 1.3.0 or higher.
shlex is a splitting a string into shell words, like Python's shlex.
Affected versions of this package are vulnerable to Improper Input Validation via the quote
and join
APIs. An attacker can potentially inject multiple arguments where only one is expected, leading to undesired consequences and potentially arbitrary command execution by passing manipulated output to a shell. Additionally, the handling of nul bytes in strings can result in security-sensitive outcomes in uncommon scenarios when used in Unix command arguments or environment variables. Furthermore, control characters pose a risk when writing directly to the standard input of an interactive shell, as they can cause misbehaviour including arbitrary command injection.
This vulnerability can be mitigated by checking for the bytes {
and \xa0
in quote
/join
input or output, and manually checking for nul bytes in quote
/join
input or output.