I have a python code which parses the input parameters like the following:
parser = argparse.ArgumentParser(description='Information injection in file.') # , usage=usage())
requiredNamed = parser.add_argument_group('...')
requiredNamed.add_argument('--name', action='store', dest='myname', help='...', required=True)
requiredNamed.add_argument('--type', action='store', dest='mytype', help='...', required=True)
parser.add_argument('--enums', nargs='+', help='List to include')
args = parser.parse_args()
for the above code, Checkmarx shows High-Severity Error message for "args=parser.parse_args()" as the following:
The application's get_process_output method calls an OS (shell) command with Popen, using an untrusted string with the command to execute. This could allow an attacker to inject an arbitrary command, and enable a Command Injection attack. The attacker may be able to inject the executed command via user input, parse_args, which is retrieved by the application in the {} method...
the above python-code is used internally (not in a public environment like a web-site), so there will be no command-injection happen. so in this case for passing the Checkmarx scan, could you let me know any clue to update my python-code? (for example, is there other python-API I can use to replace the above "args=parser.parse_args()"? Thanks!