yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1908848] [NEW] subprocess with shell=True

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: hanchl <1908848@xxxxxxxxxxxxxxxxxx>
Date: Mon, 21 Dec 2020 02:51:49 -0000
Reply-to: Bug 1908848 <1908848@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Horizon uses subprocess with shell=True in
openstack_dashboard\management\commands\extract_messages.py and
openstack_dashboard\management\commands\update_catalog.py in function
handle

Handle contains command with a double quote,  either accidentally or
maliciously, the command will be executed with shell=True. Bandit think
it's insecure. For more information on subprocess, shell=True and
command injection see: https://docs.python.org/2/library/subprocess.html
#frequently-used-arguments

** Affects: horizon
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1908848

Title:
  subprocess with shell=True

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  Horizon uses subprocess with shell=True in
  openstack_dashboard\management\commands\extract_messages.py and
  openstack_dashboard\management\commands\update_catalog.py in function
  handle

  Handle contains command with a double quote,  either accidentally or
  maliciously, the command will be executed with shell=True. Bandit
  think it's insecure. For more information on subprocess, shell=True
  and command injection see:
  https://docs.python.org/2/library/subprocess.html#frequently-used-
  arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1908848/+subscriptions

Follow ups

[Bug 1908848] Re: subprocess with shell=True
From: Akihiro Motoki, 2021-02-26