2

Using os code is generally accepted as bad practice from a security perspective, as it could potentially provide a bad actor with phenomenal cosmic powers. Nonetheless, most sources appear to recommend using the following to get env variables.

import os
print(os.environ['FOO'])

This approach is also suggested here on SO, such as in "How to access environment variable values?" I know that one can use dotenv to pick up a .env file and to create new env variables, but I have not been able to find anything for existing env variables.

This leads me to the following questions.

  • Is Python's os secure enough to render my concerns unnecessary?
  • Is from os import environ any better than going for the entire import os?
  • Is there a method that is more secure and avoids os entirely?

Thanks muchley!

Konrad Rudolph
  • 530,221
  • 131
  • 937
  • 1,214
James Geddes
  • 742
  • 3
  • 10
  • 35
  • 3
    I'm sorry, why do you want to avoid os? Where is it generally accepted as bad practice? It's probably imported already just as part of the interpreter runtime. I'm not sure what you are trying to avoid, exactly. – juanpa.arrivillaga Apr 21 '21 at 10:54
  • 3
    "Is from os import environ any better than going for the entire import os?" why would it be? Note, you cannot "partially" import modules, these two different import statements merely change what is made available in the current namespace... the module is fully loaded in either case – juanpa.arrivillaga Apr 21 '21 at 10:55
  • 4
    There are *parts* of `os` that *may* be risky (such as the `os.exec` family) if you don't use them properly. But environment variables are no more risky that user input. – paxdiablo Apr 21 '21 at 10:56
  • @juanpa.arrivillaga I am not saying that Python's `os` specifically is bad, I was saying that, in general, it is advised to avoid using operating system code for security reasons. Whether this extends to Python's `os` is the aim of this question. – James Geddes Apr 21 '21 at 11:06
  • 1
    The `os` module *isn't* operating system code. It's Python code. It has that *name* because it provides access to facilities that are provided by the operating system or the shell. You are reading way too much into the way it is named. – BoarGules Apr 21 '21 at 21:08
  • @BoarGules I guess your answer to my first part of this question would therefore be "yes, your concerns are unnecessary" which is super. – James Geddes Apr 22 '21 at 08:37

1 Answers1

1

I was saying that, in general, it is advised to avoid using operating system code for security reasons.

That is not true. Even if by "os code" you mean only Python's os module and not system calls (see the output of man 2 on a UNIX system). You should stop reading (or watching) whatever gave you that impression.

There are a handful of functions which can pose a security risk if used incorrectly. The most notorious being os.popen() when passed a single string as the command to run. When used in that manner the string is interpreted by a subshell and is subject to "word expansion" and "word splitting". Which, in a POSIX shell like bash, is risky unless you are 100% certain about any shell metacharacters that might be present in the original string or the values of any variable expansions.

There is absolutely nothing risky about os.environ other than the exception that will be raised if the key (the env var name) is not present in the map. Which is why you should generally use os.getenv() since that makes it easier to handle the case where the env var isn't present.

Kurtis Rader
  • 6,734
  • 13
  • 20
  • My impression on operating code was formed by my IBM Cybersecurity qualification https://www.credly.com/badges/6bf9b2a9-604f-4bcd-b319-127afc4a051e/public_url but as I mentioned, the purpose of this question is to learn whether that extends to the Python `os` module. – James Geddes Apr 22 '21 at 08:30
  • @JamesGeddes: In my four decades as an IT professional I've received numerous certifications and accreditations such as the one you cite. In my experience most of them aren't worth the paper they're printed on. Again, there is nothing risky about "operating system code" or Python's `os` module; at least in the broad sense you mean. – Kurtis Rader Apr 22 '21 at 18:00
  • I am glad my concerns are unwarranted in this case. Seems sensible to avoid unnecessary security risks in general though. – James Geddes Apr 23 '21 at 09:43