id: python-scanner

info:
  name: Python Scanner
  author: majidmc2
  severity: info
  description: Nuclei template to detect potentially dangerous Python functions in Python files. The template checks for functions that could lead to code injection, command injection, loading untrusted data, and SQL injection vulnerabilities.
  reference:
    - https://www.kevinlondon.com/2015/07/26/dangerous-python-functions.html
    - https://www.kevinlondon.com/2015/08/15/dangerous-python-functions-pt2.html
  tags: python,file,sast

file:
  - extensions:
      - py

    extractors:
      - type: regex
        name: code-injection
        regex:
          - 'exec'
          - 'eval'
          - '__import__'
          - 'execfile'

      - type: regex
        name: command-injection
        regex:
          - 'subprocess.call\(.*shell=True.*\)'
          - 'os.system'
          - 'os.popen\d?'
          - 'subprocess.run'
          - 'commands.getoutput'

      - type: regex
        name: untrusted-source
        regex:
          - 'pickle\.loads'
          - 'c?Pickle\.loads?'
          - 'marshal\.loads'
          - 'pickle\.Unpickler'

      - type: regex
        name: dangerous-yaml
        regex:
          - 'yaml\.load'
          - 'yaml\.safe_load'

      - type: regex
        name: sqli
        regex:
          - 'cursor\.execute'
          - 'sqlite3\.execute'
          - 'MySQLdb\.execute'
          - 'psycopg2\.execute'
          - 'cx_Oracle\.execute'