Update python-scanner.yaml

- Added new regex for code injection: 'execfile'. - Added new regex for command injection: 'subprocess.run', 'commands.getoutput'. Modified 'os.popen' regex for better detection. - Added new regex for untrusted source: 'marshal.loads', 'pickle.Unpickler'. - Modified 'dangerous-yaml' regex to include 'yaml.safe_load'. - Added new regex in 'sqli' for various database execute functions.
2023-08-04 12:57:44 +03:30 · 2023-08-04 12:57:44 +03:30 · 0cc5a83e13
parent ed3696a791
commit 0cc5a83e13
1 changed files with 19 additions and 7 deletions
--- a/file/python/python-scanner.yaml
+++ b/file/python/python-scanner.yaml
@ -4,7 +4,7 @@ info:
  name: Python Scanner
  author: majidmc2
  severity: info
-  description: Indicators for dangerous Python functions
+  description: Nuclei template to detect potentially dangerous Python functions in Python files. The template checks for functions that could lead to code injection, command injection, loading untrusted data, and SQL injection vulnerabilities.
  reference:
    - https://www.kevinlondon.com/2015/07/26/dangerous-python-functions.html
    - https://www.kevinlondon.com/2015/08/15/dangerous-python-functions-pt2.html
@ -21,26 +21,38 @@ file:
          - 'exec'
          - 'eval'
          - '__import__'
-
+          - 'execfile'
+          
      - type: regex
        name: command-injection
        regex:
          - 'subprocess.call\(.*shell=True.*\)'
          - 'os.system'
-          - 'os.popen'
+          - 'os.popen\d?'
+          - 'subprocess.run'
+          - 'commands.getoutput'

      - type: regex
        name: untrusted-source
        regex:
-          - 'pickle.loads'
-          - 'cPickle.loads'
+          - 'pickle\.loads'
+          - 'c?Pickle\.loads?'
+          - 'marshal\.loads'
+          - 'pickle\.Unpickler

      - type: regex
        name: dangerous-yaml
        regex:
-          - 'yaml.load'
+          regex:
+          - 'yaml\.load'
+          - 'yaml\.safe_load'

      - type: regex
        name: sqli
        regex:
-          - 'cursor.execute'
+          regex:
+          - 'cursor\.execute'
+          - 'sqlite3\.execute'
+          - 'MySQLdb\.execute'
+          - 'psycopg2\.execute'
+          - 'cx_Oracle\.execute'