Shell Escape Fixer - Replaces direct password/hash comparisons with compare_digest()

Suggested By


Wraps arguments to,, or subprocess.Popen with shlex.quote().


Insecure arguments (i.e. returned from function/method calls, or variables) should be escaped:

import subprocess
ret =['ps', opt], shell=True)

Will raise PR100 and suggest the Shell Escape. When executed the code will become:

import subprocess
from shlex import quote as shlex_quote
ret =['ps', shlex_quote(opt)], shell=True)

This applies to single or list arguments. One or multiple arguments meeting the criteria will be escaped in a single fix.

NB: shlex_quote is used to avoid polluting/colliding with other functions named quote