pep8speaks icon indicating copy to clipboard operation
pep8speaks copied to clipboard

Published 20 hours ago verified publisher icon pep8speaks-org

Potentially unsafe subprocess execution (shell=True)

Open mikewhiteman opened this issue 4 years ago • 2 comments

Hello 👋 - Any particular reason that subprocess needs to be run with Shell=True?

An example:

https://github.com/OrkoHunter/pep8speaks/blob/837643bb95c18a5364cd0539b0f8edaeb3813a76/pep8speaks/helpers.py#L234

Shell=True is a more dangerous way of invoking subprocess that exposes you to potential command injection attacks. If you're not using any shell specific features (e.g. |), changing it to shell=False is a pretty easy fix.

mikewhiteman avatar Jul 22 '20 03:07 mikewhiteman

Related https://github.com/OrkoHunter/pep8speaks/issues/28

OrkoHunter avatar Jul 22 '20 06:07 OrkoHunter

I think the answer is basically split the cmd string: https://github.com/OrkoHunter/pep8speaks/blob/30af5bf0de1a2bfdf35b0a76bf63c70486c12c69/pep8speaks/helpers.py#L231 and pass cmd as a list to Popen , then you can set shell=False and you're done. Lastly (and I just learned this recently) running bandit on the source code will find this kind of thing.

sarnold avatar Oct 09 '21 19:10 sarnold