Python Injection - is there such a thing?

Question

I've been doing some penetration testing on my own site and have been doing a lot of research on common vulnerabilities.

SQL injection comes up a lot but I was wondering, could there possibly be such a thing as python injection? Say for example that a web form submitted a value that was entered in a dictionary in some python backend app. Would it be possible that if that input wasn't handled correctly that python code could be injected and executed in the app?

Is there a way to easily and harmlessly test for this vulnerability - if it is indeed a potential vulnerability? I can't seem to find many web resources on this topic.

Answer 1

This depends entirely on what you do with the input from the webform. In normal use the form gets encoded as x-www-form-urlencoded or json -- Both formats which can be deserialized into a python dictionary completely safely. Of course, they could be deserialized in unsafe ways too -- Make sure that you use libraries that are dedicated to handling this properly (e.g. urlparse or json).

From there, whether the input is safe depends entirely on what the application does with it. (e.g. it is not safe if the application uses eval with input based on the decoded dict).

As for automated testing for this -- I don't know of any way to accomplish this, but these problems are generally pretty easy to mitigate by just following normal best-practices (don't eval code you don't trust, etc. etc.)