yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1908848] Re: subprocess with shell=True

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Akihiro Motoki <1908848@xxxxxxxxxxxxxxxxxx>
Date: Fri, 26 Feb 2021 00:21:59 -0000
Reply-to: Bug 1908848 <1908848@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This looks like a generic warning on shell=True for subprocess and there is no practical suggestion.
shell=True is used in udpate_catalog and extract_catalog but they need to be executed on a shell. We cannot run these commands without shell=True. These commands are used only for maintenance by operators and there is no chance to inject malicious commands.

** Changed in: horizon
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1908848

Title:
  subprocess with shell=True

Status in OpenStack Dashboard (Horizon):
  Invalid

Bug description:
  Horizon uses subprocess with shell=True in
  openstack_dashboard\management\commands\extract_messages.py and
  openstack_dashboard\management\commands\update_catalog.py in function
  handle

  Handle contains command with a double quote,  either accidentally or
  maliciously, the command will be executed with shell=True. Bandit
  think it's insecure. For more information on subprocess, shell=True
  and command injection see:
  https://docs.python.org/2/library/subprocess.html#frequently-used-
  arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1908848/+subscriptions

References

[Bug 1908848] [NEW] subprocess with shell=True
From: hanchl, 2020-12-21