5

I have a python app that works with URL lists and produces bash script as an output.

How to sanitize URL so that a malicious user could not inject bash commands that will be executed on my infrastructure.

For instance:

http://www.circl.lu/a.php?rm -Rf /etc
Improve this question
5
  • stackoverflow.com/questions/205923/… ? Commented Apr 10, 2019 at 13:19
  • Also: code.google.com/archive/p/owasp-esapi-python Commented Apr 10, 2019 at 13:20
  • Whether or not you need to sanitize it depends on what you are doing with it. As a simple example, printf '%s\n' "$UNSANITIZED_URL" is completely safe. (Assuming no buffer-overflow bugs or the like in your shell itself.) Commented Apr 10, 2019 at 13:20
  • @DirtyBit the bash script is output, I need to sanitize URL in Python Commented Apr 10, 2019 at 13:25
  • @chepner the output (bash script) may be executed on different systems, so I have no control over it Commented Apr 10, 2019 at 13:31

1 Answer 1

Reset to default
7

I guess urllib is an option to parse the urls, in order to escape harmful characters. At least it looks like a good resource for your use case. See the docs of url-quoting.

from urllib.parse import quote

quote('touch foo', safe='/')
quote('rm -Rf /etc', safe='/')
quote('http://www.circl.lu/a.php?rm -Rf /etc', safe='/:?&')

#'touch%20foo'
#'rm%20-Rf%20/etc'
#'http://www.circl.lu/a.php?rm%20-Rf%20/etc'
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.