Unsafe shell command constructed from library input in `luigi/contrib/lsf.py`

Open Ali-Razmjoo opened this issue 1 year ago • 0 comments

Hi,

I am reporting a potential security issue with an unsafe shell command constructed from library input in https://github.com/spotify/luigi/blob/master/luigi/contrib/lsf.py#L84-L88

I am unsure if the command line is affected by user input, but it would be great to change the behavior and set shell=False in case of any input.

subprocess.Popen(cmd, shell=False)

References

OWASP: Command Injection
CWE-78: Improper Neutralization of Special Elements used in an OS Command
CWE-88: Improper Neutralization of Argument Delimiters in a Command
CWE-73: External Control of File Name or Path

Aug 24 '24 11:08 Ali-Razmjoo