The following expressions can not be used in the custom code for both security and technical reasons:

  • no_shell = [
      "os.execl",
      "os.execle",
      "os.execlp",
      "os.execlpe",
      "os.execv",
      "os.execve",
      "os.execvp",
      "os.execvpe",
      "os.spawnl",
      "os.spawnle",
      "os.spawnlp",
      "os.spawnlpe",
      "os.spawnv",
      "os.spawnve",
      "os.spawnvp",
      "os.spawnvpe",
      "os.startfile"
    ]

  • shell = [
      "os.system",
      "os.popen",
      "os.popen2",
      "os.popen3",
      "os.popen4",
      "popen2.popen2",
      "popen2.popen3",
      "popen2.popen4",
      "popen2.Popen3",
      "popen2.Popen4",
      "commands.getoutput",
      "commands.getstatusoutput"
    ]

  • subprocess = [
      "subprocess.Popen",
      "subprocess.call",
      "subprocess.check_call",
      "subprocess.check_output"
    ]