Potentially unsafe subprocess execution (shell=True)

[mikewhiteman]

Hello 👋 - Any particular reason that subprocess needs to be run with Shell=True?

An example:

https://github.com/OrkoHunter/pep8speaks/blob/837643bb95c18a5364cd0539b0f8edaeb3813a76/pep8speaks/helpers.py#L234

Shell=True is a more dangerous way of invoking subprocess that exposes you to potential command injection attacks. If you're not using any shell specific features (e.g. |), changing it to shell=False is a pretty easy fix.

[OrkoHunter]

Related #28

[sarnold]

I think the answer is basically split the cmd string: https://github.com/OrkoHunter/pep8speaks/blob/30af5bf0de1a2bfdf35b0a76bf63c70486c12c69/pep8speaks/helpers.py#L231 and pass cmd as a list to Popen , then you can set shell=False and you're done. Lastly (and I just learned this recently) running bandit on the source code will find this kind of thing.