fix(security): Replace shell=True with safe shlex.split() to prevent command injection
@marovolechecks…master → master1 files · +68 −25updated 5mo agoloading diff…
@marovolechecks…master → master1 files · +68 −25updated 5mo ago@marovolechecks…master → master1 files · +68 −25updated 5mo agoFix critical command injection vulnerability in with_server.py by removing unsafe shell=True parameter from subprocess.Popen() calls.
File: webapp-testing/scripts/with_server.py
Using shell=True with user-provided commands allows arbitrary shell command injection. An attacker could inject malicious commands using shell metacharacters like ;, |, &&, $(), etc.
# If server_cmd contains: "npm start; rm -rf /"
# With shell=True, this executes BOTH commands
subprocess.Popen(server_cmd, shell=True) # DANGEROUS!
shell=True from all subprocess.Popen() callsparse_server_command() function using shlex.split() for safe parsingcd directory && command pattern using subprocess cwd parameter instead of shell cd commandself.proc = subprocess.Popen(
server_cmd,
shell=True, # VULNERABLE
...
)
import shlex
def parse_server_command(cmd):
"""Safely parse server command, handling cd && patterns."""
working_dir = None
command = cmd.strip()
if command.startswith('cd ') and '&&' in command:
parts = command.split('&&', 1)
working_dir = parts[0].strip()[3:].strip()
command = parts[1].strip()
return working_dir, shlex.split(command)
cwd, command_parts = parse_server_command(server_cmd)
self.proc = subprocess.Popen(
command_parts, # List of arguments, not shell string
cwd=cwd, # Use cwd parameter for directory changes
...
)
cd directory && command patterns are handled safely