PAR101¶

Unquoted inputs to paramiko exec_command() can leave the remote host vulnerable to shell injection.

Applies to :

SSHClient.exec_command()
Channel.exec_command()

Notes¶

String literals are ok
Call expressions or reference expressions are treated as “unsafe” unless escaped

Quick Fixes¶

Shell Escape Fixer

Fixes¶

Use shlex.quote surrounding any input, e.g.

import paramiko
import shlex

client = paramiko.SSHClient(...)
ret = client.exec_command(shlex.quote(input))

Fork me on GitHub