[python] The tuple (*) argument of a call cannot step to function parameter for the CommandInjectionCustomizations flow

[hyperlyz]

In Python, when passing the typle (*) argument to function parameters, the taint propagation chain breaks. As shown in the following code snippet, this issue occurs. Are there plans to support this scenario? How do i resolve this issue?

from django.contrib.auth.decorators import login_required
from django.conf.urls import url
import os

def build_cmd(cmd: str):
    cmd = cmd + "; touch aa"
    print(cmd)
    return cmd

@login_required 
def GetOperateLog(request):
    cmd = request.POST.get('cmd', None)
    args = []
    args.append(cmd)
    cmd3 = build_cmd(*args)
    os.system(cmd3)

urlpatterns = [
    url(r'^GetOperateLog', GetOperateLog, name='GetOperateLog'),
]

This is the taint propagation flow.

[rvermeulen]

Hi @hyperlyz,

Thanks for the report. I have been able to reproduce this and will reach out to the team. Stay tuned!

[hyperlyz]

Hi @rvermeulen,

Thanks for your reply. Look forward to hearing from you soon.

[rvermeulen]

Hi @hyperlyz,

The team has been made aware of the missing data flow step. Unfortunately I can't share timelines yet.

[hyperlyz]

Hi @rvermeulen,

Thanks for your timely response. Look forward to the further progress soon.