qsim icon indicating copy to clipboard operation
qsim copied to clipboard
verified publisher icon quantumlib

Insecure command invocation in setup.py

Open mhucka opened this issue 4 months ago • 0 comments

Describe the issue

CodeQL scanning reports a vulnerability in setup.py: https://github.com/quantumlib/qsim/security/code-scanning/51

        if not os.path.exists(self.build_temp):
            os.makedirs(self.build_temp)
        subprocess.check_call(
            ["cmake", ext.sourcedir] + cmake_args, cwd=self.build_temp, env=env

The check_call may allow the user to execute malicious code.

What version of qsim are you using?

0.23.0.dev0

How can the issue be reproduced?

No response

mhucka avatar Aug 19 '25 17:08 mhucka