Rule Information
Tags
pythoncode-moduleinteractive-consolecode-executionreplCWE-95OWASP-A03
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset python/PYTHON-LANG-SEC-003 --project .1
2
3
4
5
6
7
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
About This Rule
Understanding the vulnerability and how it is detected
Python's code module provides the InteractiveConsole, InteractiveInterpreter, and interact() classes and functions which implement a Python read-eval-print loop (REPL). These are intended for debugging and development tooling; when exposed to or called with untrusted input in production code, they grant the caller full Python code execution capability.
code.InteractiveConsole().interact() drops into a full Python REPL. code.compile_command() partially compiles Python source and is used as a building block for interactive interpreters. Any application that pipes untrusted network or user input into these components effectively gives the attacker a remote Python shell on the server.
These functions are legitimate for local development tools, administrative debug consoles that are properly authenticated, and embedded REPL features. They become dangerous when exposed unauthenticated over a network or when the input source is not strictly controlled.
Security Implications
Potential attack scenarios if this vulnerability is exploited
1
Remote Python Shell
An unauthenticated or improperly authenticated code.interact() endpoint gives the attacker a full interactive Python interpreter with the privileges of the web server process, equivalent to SSH access to the host.
2
Unrestricted File System Access
Through the interactive console, an attacker can read, write, and delete any file accessible to the process, including application secrets, SSL private keys, database credentials, and user data.
3
Process and System Control
The interactive console can spawn subprocesses, open network connections, modify environment variables, send signals to other processes, and call any system call available to Python, giving the attacker complete control of the host environment.
4
Debug Endpoint Exposure
Development debug panels (such as Werkzeug's debug console) that use code module internals are commonly left enabled in production deployments. This is a well-known and frequently exploited attack vector in Python web applications.
How to Fix
Recommended remediation steps
- 1Never expose code.InteractiveConsole or code.interact() over an unauthenticated network endpoint.
- 2In production deployments, disable any debug console or REPL endpoint; ensure DEBUG=False in all production configuration.
- 3If an admin REPL is required, gate it behind strong multi-factor authentication, restrict to localhost or a VPN-only interface, and log all commands executed.
- 4Replace interactive consoles with purpose-built admin CLIs that accept an explicit allowlist of commands without arbitrary code execution.
- 5Use a process supervisor or container runtime that provides exec access only to authorized operations teams rather than exposing a Python REPL.
Detection Scope
How Code Pathfinder analyzes your code for this vulnerability
This rule detects calls to code.InteractiveConsole(), code.interact(), code.compile_command(), and code.InteractiveInterpreter() from the Python standard library code module. All call sites are flagged as these functions are designed for interactive interpreter use and are inappropriate in production application code that processes external input.
Compliance & Standards
Industry frameworks and regulations that require detection of this vulnerability
CWE Top 25
CWE-95 - Eval Injection in the MITRE CWE Top 25 Most Dangerous Software Weaknesses
OWASP Top 10
A03:2021 - Injection
NIST SP 800-53
SI-10: Information Input Validation
PCI DSS v4.0
Requirement 6.2.4 - Protect web-facing applications against injection attacks
References
External resources and documentation
Similar Rules
Explore related security rules for Python
HIGH
Dangerous eval() Usage Detected
eval() executes arbitrary Python expressions from strings, enabling remote code execution when called with untrusted input.
HIGH
Dangerous exec() Usage Detected
exec() executes arbitrary Python statements from strings or code objects, enabling remote code execution when called with untrusted input.
MEDIUM
Non-literal Dynamic Import Detected
__import__() or importlib.import_module() with a non-literal argument can import arbitrary modules when called with untrusted input.
Frequently Asked Questions
Common questions about Dangerous code.InteractiveConsole Usage
No. When used in a local development tool, a properly authenticated and localhost-only
admin console, or an embedded REPL for trusted users, code.InteractiveConsole is
appropriate. It is dangerous when the input it processes can be influenced by untrusted
remote users or when it is exposed on a network interface without authentication.
code.compile_command() is the building block for interactive interpreters. Its presence
usually indicates that a partial REPL is being assembled. The flag prompts a review of
how the compiled code object is eventually executed, since the execution step may follow
without being obvious from the call site alone.
Werkzeug's interactive debugger uses code module internals to provide a REPL in browser-
based exception pages. When deployed with DEBUG=True in production, this console is
reachable by any user who can trigger an exception. This has been exploited in numerous
real-world attacks. This rule helps identify code paths that share this pattern.
Use structured logging and distributed tracing for debugging production issues. For
administrative operations, expose a purpose-built CLI with explicit command verbs, proper
authentication, and audit logging. If live inspection of running processes is required,
use py-spy or similar profiling tools that do not expose code execution.
Yes. If the code.InteractiveConsole usage is in a module that is only loaded in
development environments (e.g., guarded by an explicit DEVELOPMENT_MODE flag or only
present in a dev-specific Django management command), document the suppression with a
comment explaining the trust boundary and access control measures.
The rule detects direct calls to the code module functions. If a wrapper library
re-exports these functions under a different name, the indirect call may not be detected.
Review dependencies that provide REPL or interactive shell functionality to ensure they
do not expose code module internals without proper access controls.
New feature
Get these findings posted directly on your GitHub pull requests
The Dangerous code.InteractiveConsole Usage rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.