Invocation of Process Using Visible Sensitive Information in argparse
PY027
visible_sensitive_information
CWE-214
⛔️ Error
Do not read secrets directly from command line arguments. When a command
accepts a secret like via a --password argument or --api-key, the argument
value will leak the secret into ps output and shell history. This also
encourages the use of insecure environment variables for secrets.
Example
Error
import argparse
parser = argparse.ArgumentParser(
prog='ProgramName',
description='What the program does',
)
parser.add_argument(
"-p",
"--password",
dest="password",
action="store",
help="password for the database",
)
Remediation
fix
Consider accepting sensitive data only from an interactive hidden prompt or via files. A --password-file argument allows a secret to be passed in discreetly, in a wide variety of contexts.
import argparse
parser = argparse.ArgumentParser(
prog='ProgramName',
description='What the program does',
)
parser.add_argument(
"-p",
"--password",
dest="password",
action="store_true",
help="password for the database",
)
False Positives
In the case of a false positive the rule can be suppressed. Simply add a
trailing or preceding comment line with either the rule ID (PY027) or
rule category name (visible_sensitive_information).
- Using rule ID
- Using category name
fix
import argparse
parser = argparse.ArgumentParser(
prog='ProgramName',
description='What the program does',
)
# suppress: PY027
parser.add_argument(
"-p",
"--password",
dest="password",
action="store",
help="password for the database",
)
fix
import argparse
parser = argparse.ArgumentParser(
prog='ProgramName',
description='What the program does',
)
# suppress: visible_sensitive_information
parser.add_argument(
"-p",
"--password",
dest="password",
action="store",
help="password for the database",
)