Improper Neutralization of Wildcards or Matching Symbols
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-155: Improper Neutralization of Wildcards or Matching Symbols |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
Using shell commands like tar, chmod, chown, or rsync with wildcard characters (e.g., ‘*’) inside Python’s os.system or subprocess calls can unintentionally allow shell expansion on unexpected files. This may cause commands to act on files with malicious names or trigger unexpected behaviors.
Impact#
An attacker could create files with specially crafted names that, when matched by a wildcard, execute unintended commands or manipulate system files. This can lead to privilege escalation, unauthorized code execution, or compromise of the application’s integrity and security.