Preventing my script from os command injection python - python

i am using python 2.7.x
I automating my stuffs and in there i need run to another python program from my python script for that i am using the system function from the 'os' library.
for e.g:
import os
os.system("python anotherscript.py --data <USER_INPUT_FROM_MY_SCRIPT_HERE>")
so i know if any user inputs some other command in place of expected user input that will be converting to os command injection and that's what i want prevent in this case.
Thank you.

Since you need to run a Python script from Python, just import it the Python way and invoke the needed function normally
import anotherscript
anotherscript.<function>("<user_input>")

#Tenchi2xh's answer is the better way to do it, but if that doesn't work (e.g. your script only works on Python 2.x and the other one only works on Python 3.x) then you should use the subprocess module, passing the arguments as a list:
import subprocess
subprocess.call(['python', 'anotherscript.py', '--data', '<USER INPUT>'])
Also take a look at subprocess.check_call and subprocess.check_output to see if they are closer to what you need.
https://docs.python.org/2/library/subprocess.html#subprocess.call

Related

Simple Python shell wrapper script (using os.execv?)

I want to add a wrapper around a specific shell command. This will run in Linux only and I don't care about cross platform support. This code works, but is there a better way to achieve this? Or am I opening myself up to any weird behavior?
import os
import sys
# Do my personal validation here
do_some_validation(sys.argv)
# Now call the real program
os.execv('/usr/bin/some-command', sys.argv)
Thanks!
You may use subprocess
import subprocess
subprocess.call(['/usr/bin/some-command', arg1, arg2])
subprocess is better than os in a way, in that it has more control over execution of a command, whereas os just throws it to bash.

Execute a terminal command that takes an argument from terminal in python a 2.6 script

My environment uses Python 2.6 and I'm new to Python. I need to write a script that runs a file decoding command which takes several arguments from the command line. My problem is I can't parse arguments taken from the terminal to the file decoding command.
For example if my program name is x.py and when i run "x.py Desktop/abc.txt" how can i pass Desktop/abc.txt as an argument to the cat command?
import commands
import sys
a=open("b.txt","w")
a.write(commands.getoutput('cat sys.argv[1]'))
When i researched it seemed that the above program should work but it didn't. Please help.
You should change commands.getoutput('cat sys.argv[1]') as commands.getoutput('cat %s' % (sys.argv[1],))
You're mixing up the terminal commands and Python commands. If you have a file called abc.py with the following code:
import sys
print sys.argv[1]
And you run it with python abc.py arg1, it should print out arg1.
For a cleaner and easier to read way of using command-line arguments if you want to control things like make sure they are int or allow multiple or whatever, I've had a lot of success using the argparse module in Python - it's much easier to use than the sys.argv style of parsing command-line arguments. Check out the official tutorial / docs here: https://docs.python.org/2/howto/argparse.html

Running command lines within your Python script

So I have a bunch of aliases and Command Line prompt programs, and my main program works by inputting b into the cmd.exe, followed by some filepath names and what not. How would I run those arguments in my python script? So that it mimics the action i am doing in the cmd?
You should use the subprocess module. In particular, subprocess.call will run command line programs for you.
or you can use
import os
os.system('your_command')
for example:
import os
os.system('notepad')
will launch the notepad with the command line behind.
hope this helps
You can do this using subprocess
For example, this call bellow gets the output of the program and stores it as a string, using .call will help with calling it and for more accurate control use .Popen
subprocess.check_output(["ipconfig"])
Check out Sarge - a wrapper for subprocess which aims to make life easier for anyone who needs to interact with external applications from their Python code. and Plumbum - a small yet feature-rich library for shell script-like programs in Python.

How to make python and linux shell interaction?

Now,here is an executable program that I run in a shell. But It needs parameter.How can I use python to pass parameter to the program in a shell. I know a tool in unix named 'expect' which can interact with existing software. I want to know if python can do the same thing! My english is not good~sorry~
Use the subprocess module. Basic example:
>>> import subprocess as sub
>>> sub.call(["ls", "-l"])
Basically you can pass the command and its parameters as a list of strings.
EDIT: Reading again your question I wonder if pexpect is indeed what you want.

Is it possible to use batch scripts in a GUI made with Python?

I was wondering if it was possible to write a GUI in python, and then somewhere in the python script, insert a script switch to temporarily change the language to accomodate for the batch snippet.
I know this can be done in html and vbscript but what about Python?
You can control other processes, written with any language, including bash using the subprocess module.
The subprocess module is the most powerful and complete method for executing other processes. However, there's also a very simple method using the os module: os.system(command) runs command just as if you were to type it into a command line.

Categories