Skip to content

argparse — sensitive info

Invocation of Process Using Visible Sensitive Information in argparse

Do not read secrets directly from command line arguments. When a command accepts a secret like via a --password argument or --api-key, the argument value will leak the secret into ps output and shell history. This also encourages the use of insecure environment variables for secrets.

Example

argparse_add_argument_password.py
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
import argparse


parser = argparse.ArgumentParser(
    prog="ProgramName",
    description="What the program does",
)
parser.add_argument(
    "-u",
    "--user",
    dest="user",
    action="store",
    help="user for the database",
)
parser.add_argument(
    "-p",
    "--password",
    dest="password",
    action="store",
    help="password for the database",
)
Example Output 
> precli tests/unit/rules/python/stdlib/argparse/examples/argparse_add_argument_password.py
⛔️ Error on line 8 in argparse_add_argument_password.py
PY027: Invocation of Process Using Visible Sensitive Information
Secrets in CLI arguments are leaked to command history, logs, ps output, etc.

Remediation

Consider accepting sensitive data only from an interactive hidden prompt or via files. A --password-file argument allows a secret to be passed in discreetly, in a wide variety of contexts.

argparse_add_argument_password.py
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
import argparse


parser = argparse.ArgumentParser(
    prog='ProgramName',
    description='What the program does',
)
parser.add_argument(
    "-p",
    "--password",
    dest="password",
    action="store_true",
    help="password for the database",
)

See also

Info

New in version 0.3.14

Changed in version 0.4.1: --api-key also checked