Code Injection in logging Config

PY010

code_injection

CWE-94

⚠️ Warning

---

The logging.config.listen() function allows you to dynamically change the logging configuration of your application. However, if you set the verify argument to False, you are opening yourself up to a security vulnerability. This is because anyone who can connect to the listening socket can send arbitrary configuration data to your application, which could potentially allow them to execute arbitrary code.

Example

import logging.config


thread = logging.config.listen(port=1111, verify=None)

Remediation

The verify argument should be set to a callable function that should verify whether bytes received on the socket are valid to be processed. One way to verify the data is to use encryption and/or signing.

import logging.config


def validate(recv: bytes):
    return recv

thread = logging.config.listen(verify=validate)

False Positives

In the case of a false positive the rule can be suppressed. Simply add a trailing or preceding comment line with either the rule ID (PY010) or rule category name (code_injection).

Using rule ID

fix

import logging.config


# suppress: PY010
thread = logging.config.listen(port=1111, verify=None)

Using category name

fix

import logging.config


# suppress: code_injection
thread = logging.config.listen(port=1111, verify=None)

See also

info

• logging.config — Logging configuration
• CWE-94: Improper Control of Generation of Code