subprocess call with shell=True identified, security issue.
On file src/ansys/geometry/core/connection/product_instance.py:
403 def _start_program(args: List[str], local_env: Dict[str, str]) -> subprocess.Popen:
404 """
405 Start the program where the path is the first item of the ``args`` array argument.
406
407 Parameters
408 ----------
409 args : List[str]
410 List of arguments to be passed to the program. The first list's item shall
411 be the program path.
412 local_env : Dict[str,str]
413 Environment variables to be passed to the program.
414
415 Returns
416 -------
417 subprocess.Popen
418 The subprocess object.
419 """
420 return subprocess.Popen(
421 args,
422 shell=os.name != "nt",
423 stdin=subprocess.DEVNULL,
424 stdout=subprocess.DEVNULL,
425 stderr=subprocess.DEVNULL,
426 env=local_env,
427 )
428
429
Upon calling this method _start_program
directly, users could exploit its usage to perform malicious operations on the current machine where the script is ran. With this resolution made through #1076 and #1077, we make sure that this method is only called from within the library and we are no longer enabling the shell=True
option.
For more information see https://cwe.mitre.org/data/definitions/78.html
Visit https://bandit.readthedocs.io/en/1.7.8/plugins/b602subprocesspopenwithshellequalstrue.html to find out more information.
{ "nvd_published_at": "2024-03-26T03:15:13Z", "cwe_ids": [ "CWE-78" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-03-25T19:37:46Z" }