-
Notifications
You must be signed in to change notification settings - Fork 272
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Getting Code Vulnerability in "six.py" module file #380
Comments
That is not a vulnerability |
I am getting this vulnerability in AWS Inspector console on that particular line, if you have any suggestions or any replacement module which i can installed in place of pyawscron and dynamodb-json, as these 2 modules are installing the six module related files and folder ? |
You could just ignore the error |
This is related to organization code, if it would have been related to my personal project, i could have ignored that for sure, but as this is at organization level, i need to work on some fix, but i am confused as this is module related, how can i fix this ? |
Did you have no way to add a exception? The code is just a wrapper to use the exec function in Python 2 and 3. As long as nobody calls this function, this is not a problem. |
Ok, If i go ahead and comment that line in file (installed after installing pyawscron and dynamodb-json modules) where i am getting vulnerability - exec("""exec code in globs, locs"""), at first place, we usually think that if we will touch anything in 3rd party packages, it might break something else in the code but as this one is the simplest statement which is similar to print statement, we can ignore that. Resolution as per me - Let me know if this is an correct resolution ? Please correct me if wrong and if you can add something that would be great. Thanks for your suggestions, i really appreciate that. |
Let me know your suggestions on my assumption discussed above ? |
I never used WAS, so if it works for you, you can do it. |
I am using AWS Cloud and AWS Inspector is showing this line - exec("""exec code in globs, locs""") as a vulnerable line. |
Hello, |
The official repo here is likely not to remove a feature that makes things compatible since making things compatible is its purpose. It is the responsibility of the caller to not use exec insecurely, and six is merely a go-between between the caller and exec. Therefore, if the library is being installed automatically by those packages,
You may need to forcibly uninstall the official six using your install script since you will want your forked version to always be installed. If no solutions in links above work, you may have to script it: For maintaining your fork well I suggest putting your change in another branch and using that branch after the @ sign or where main or master or another branch or commit is mentioned in any of these instructions. That way, you can always go to GitHub, your repo, then click "sync". Then make a pull request to yourself from your master to your branch. If it cannot be merged automatically, or if you want to skip the pull request step entirely, just delete the branch and remake it with the same name, and re-add your changes. Then your scripts will continue to be able to install the fork from that branch name. It will from then on be your responsibility to update it using these steps any time there are improvements on the official version that you need, which is likely not often though. |
Hello,
I am getting code vulnerability when i am using this library, mainly in these lines - (mainly i am working with pyawscron and dynamodb-json module and which are installing this module)
Title = CWE-77,78,88 - OS command injection
Detector name = OS command injection
Vulnerable line = Line ( #735) - exec("""exec code in globs, locs""")
and the similar lines in different part of the code.
I am not sure how exactly i can fix it, also my second requirement is as now i am mostly dealing with python3 related codes from long time and now i didn't require python2 related things, but i am also not sure if some application under the hood are using python2, i need to veriy that.
I am here to ask, if there is a security fix for this or there is any custom solution ?
please let me know how can i deal with my applications as i am getting code vulnerability issues ?
Thanks
The text was updated successfully, but these errors were encountered: