PR100¶

Calling subprocess.call, subprocess.run, or subprocess.Popen with shell=True can leave the host shell open to local code execution or remote code execution attacks.

Example¶

import subprocess
ret = subprocess.call(['ps', opt], shell=True)

import subprocess
ret = subprocess.run(['ps', opt], shell=True)

import subprocess
ret = subprocess.Popen(['ps', opt], shell=True)

Notes¶

String literals are ok
Lists of string literals are ok
Call expressions or reference expressions are treated as “unsafe” unless escaped

Quick Fixes¶

Shell Escape Fixer

Fixes¶

Only use shell=True if absolutely required, then use shlex.quote surrounding any input, e.g.

import subprocess
import shlex
ret = subprocess.call(['ps', shlex.quote(opt)], shell=True)

See Also¶

Subprocess Security Considerations

Fork me on GitHub