add sanitizer and update message of dangerous subprocess rule (#3487)

semgrep · Oct 15, 2024 · 153588f · 153588f
1 parent c865e0c
commit 153588f
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/python/lang/security/audit/dangerous-subprocess-use-tainted-env-args.yaml b/python/lang/security/audit/dangerous-subprocess-use-tainted-env-args.yaml
@@ -3,6 +3,8 @@ rules:
   mode: taint
   options:
     symbolic_propagation: true
+  pattern-sanitizers:
+    - pattern: shlex.quote(...)
   pattern-sources:
   - patterns:
     - pattern-either:
@@ -81,7 +83,7 @@ rules:
   message: >-
     Detected subprocess function '$FUNC' with user controlled data. A malicious actor
     could leverage this to perform command injection.
-    You may consider using 'shlex.escape()'.
+    You may consider using 'shlex.quote()'.
   metadata:
     owasp:
     - A01:2017 - Injection