Python subprocess.run in secure way

Asked May 11 '20 at 16:48

Active Sep 10 '20 at 11:56

Viewed 3,657 times

My Python script has to run binary available only via console, so I use subprocess.run and it looks like this:

CMD = [
    "C:\\Program Files\\Azure DevOps Server 2019\\Tools\\TFSSecurity.exe",
    "/gd",
    f"[{ARGS.projectName}]\\{ARGS.groupName}",
    f"/collection:{ARGS.organization}",
]

DELETE_OUTPUT = subprocess.run(
    CMD, check=True, stdout=subprocess.PIPE, shell=True
).stdout.decode("utf-8")

print(f"[DEBUG] DELETE_OUTPUT: {DELETE_OUTPUT}")

It works fine, but Bandit reports some issues:

[B404:blacklist] Consider possible security implications associated with subprocess module.

[B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue

Is there a way to run CLI in the more secure way to make Bandit happy?

edited Sep 10 '20 at 11:56

Martin Thoma

124,992
159
614
958

asked May 11 '20 at 16:48

kagarlickij

7,327
10
36
71

2

Don't use [shell=True](https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess) and it should be happy. As it's [dangerous](https://docs.python.org/2/library/subprocess.html#frequently-used-arguments) – Torxed May 11 '20 at 16:50
1

Also seeing how you called `subprocess.run()`, there does not seem to be any reason why would you want to run it through `shell`. – Ondrej K. May 11 '20 at 17:15
I am also getting same codacy error for subprocess.popen(), I have used shell=False, but still codacy reporting same issue. – MUKHTAR INAMDAR Jan 04 '22 at 05:13

Python subprocess.run in secure way

0 Answers0