Login/Register
Python subprocess.run in secure way
Asked Answered
pythonsecuritysubprocessbandit-python
S

0

7

My Python script has to run binary available only via console, so I use subprocess.run and it looks like this:

CMD = [
    "C:\\Program Files\\Azure DevOps Server 2019\\Tools\\TFSSecurity.exe",
    "/gd",
    f"[{ARGS.projectName}]\\{ARGS.groupName}",
    f"/collection:{ARGS.organization}",
]

DELETE_OUTPUT = subprocess.run(
    CMD, check=True, stdout=subprocess.PIPE, shell=True
).stdout.decode("utf-8")

print(f"[DEBUG] DELETE_OUTPUT: {DELETE_OUTPUT}")

It works fine, but Bandit reports some issues:

[B404:blacklist] Consider possible security implications associated with subprocess module.

[B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue

Is there a way to run CLI in the more secure way to make Bandit happy?

Shulock answered 11/5, 2020 at 16:48 Comment(3)
Don't use shell=True and it should be happy. As it's dangerousArbutus
Also seeing how you called subprocess.run(), there does not seem to be any reason why would you want to run it through shell.Gorblimey
I am also getting same codacy error for subprocess.popen(), I have used shell=False, but still codacy reporting same issue.Forlorn

© 2022 - 2024 — McMap. All rights reserved.