PR Custody

Security: Command Injection via shell=True in with_server.py

@tuanaiseochecks n/achecks…contribai/fix/security/command-injection-via-shell-true-in-with → master1 files · +6 −4updated 4w ago

GitHub

▸Description

Problem

The script uses shell=True in subprocess.Popen which allows shell injection attacks. User-controlled server commands could execute arbitrary shell commands.

Severity: critical File: webapp-testing/scripts/with_server.py

Solution

Replace shell=True with shell=False and pass command as a list of arguments instead of a string. Use shlex.split() if shell is required, or better yet, avoid shell=True entirely.

Changes

webapp-testing/scripts/with_server.py (modified)

Testing

Existing tests pass
Manual review completed
No new warnings/errors introduced

loading diff…