3

Using os code is generally accepted as bad practice from a security perspective, as it could potentially provide a bad actor with phenomenal cosmic powers. Nonetheless, most sources appear to recommend using the following to get env variables.

import os
print(os.environ['FOO'])

This approach is also suggested here on SO, such as in "How to access environment variable values?" I know that one can use dotenv to pick up a .env file and to create new env variables, but I have not been able to find anything for existing env variables.

This leads me to the following questions.

  • Is Python's os secure enough to render my concerns unnecessary?
  • Is from os import environ any better than going for the entire import os?
  • Is there a method that is more secure and avoids os entirely?

Thanks muchley!

Improve this question
6
  • 3
    I'm sorry, why do you want to avoid os? Where is it generally accepted as bad practice? It's probably imported already just as part of the interpreter runtime. I'm not sure what you are trying to avoid, exactly. Commented Apr 21, 2021 at 10:54
  • 3
    "Is from os import environ any better than going for the entire import os?" why would it be? Note, you cannot "partially" import modules, these two different import statements merely change what is made available in the current namespace... the module is fully loaded in either case Commented Apr 21, 2021 at 10:55
  • 4
    There are parts of os that may be risky (such as the os.exec family) if you don't use them properly. But environment variables are no more risky that user input. Commented Apr 21, 2021 at 10:56
  • @juanpa.arrivillaga I am not saying that Python's os specifically is bad, I was saying that, in general, it is advised to avoid using operating system code for security reasons. Whether this extends to Python's os is the aim of this question. Commented Apr 21, 2021 at 11:06
  • 1
    The os module isn't operating system code. It's Python code. It has that name because it provides access to facilities that are provided by the operating system or the shell. You are reading way too much into the way it is named. Commented Apr 21, 2021 at 21:08

1 Answer 1

Reset to default
1

I was saying that, in general, it is advised to avoid using operating system code for security reasons.

That is not true. Even if by "os code" you mean only Python's os module and not system calls (see the output of man 2 on a UNIX system). You should stop reading (or watching) whatever gave you that impression.

There are a handful of functions which can pose a security risk if used incorrectly. The most notorious being os.popen() when passed a single string as the command to run. When used in that manner the string is interpreted by a subshell and is subject to "word expansion" and "word splitting". Which, in a POSIX shell like bash, is risky unless you are 100% certain about any shell metacharacters that might be present in the original string or the values of any variable expansions.

There is absolutely nothing risky about os.environ other than the exception that will be raised if the key (the env var name) is not present in the map. Which is why you should generally use os.getenv() since that makes it easier to handle the case where the env var isn't present.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

My impression on operating code was formed by my IBM Cybersecurity qualification credly.com/badges/6bf9b2a9-604f-4bcd-b319-127afc4a051e/… but as I mentioned, the purpose of this question is to learn whether that extends to the Python os module.
@JamesGeddes: In my four decades as an IT professional I've received numerous certifications and accreditations such as the one you cite. In my experience most of them aren't worth the paper they're printed on. Again, there is nothing risky about "operating system code" or Python's os module; at least in the broad sense you mean.
I am glad my concerns are unwarranted in this case. Seems sensible to avoid unnecessary security risks in general though.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.