PAR101

Unquoted inputs to paramiko exec_command() can leave the remote host vulnerable to shell injection.

Applies to :

• SSHClient.exec_command()
• Channel.exec_command()

Notes

• String literals are ok
• Call expressions or reference expressions are treated as "unsafe" unless escaped

Quick Fixes

• Shell Escape Fixer

Fixes

Use shlex.quote surrounding any input, e.g.

import paramiko
import shlex

client = paramiko.SSHClient(...)
ret = client.exec_command(shlex.quote(input))