Skip to content

Commit 7e7f4c1

Browse files
committed
security: fix remaining subprocess vulnerabilities in container_dispatcher.py
- Add validation to handle_multi() push parameter - Use static script paths to prevent path injection - Validate boolean type for push parameter - Addresses remaining Semgrep subprocess security warnings Fixes: Semgrep alert 1211 (remaining subprocess calls)
1 parent 58d870f commit 7e7f4c1

1 file changed

Lines changed: 10 additions & 2 deletions

File tree

dev-tools/container/container_dispatcher.py

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -59,8 +59,10 @@ def handle_version():
5959

6060
def handle_run():
6161
"""Handle run command."""
62+
# Static script path - no user input validation needed
63+
script_path = "./dev-tools/scripts/container_build.sh"
6264
try:
63-
subprocess.run(["./dev-tools/scripts/container_build.sh"], check=True)
65+
subprocess.run([script_path], check=True)
6466
return 0
6567
except subprocess.CalledProcessError as e:
6668
return e.returncode
@@ -99,7 +101,13 @@ def handle_single():
99101

100102
def handle_multi(push):
101103
"""Handle multi-platform build."""
102-
cmd = ["./dev-tools/scripts/container_build.sh"]
104+
# Validate push parameter
105+
if not isinstance(push, bool):
106+
raise ValueError(f"Invalid push parameter: {push}")
107+
108+
script_path = "./dev-tools/scripts/container_build.sh"
109+
cmd = [script_path]
110+
103111
if push:
104112
os.environ["PUSH"] = "true"
105113

0 commit comments

Comments
 (0)