Skip to content
This repository has been archived by the owner on May 3, 2024. It is now read-only.

subprocess call with shell=True identified, security issue. #1954

Closed
mukul-seagate11 opened this issue Jul 4, 2022 — with Codacy Production · 9 comments
Closed

subprocess call with shell=True identified, security issue. #1954

mukul-seagate11 opened this issue Jul 4, 2022 — with Codacy Production · 9 comments
Assignees
@rkothiya
Labels
codacy Status: L1 Triage Initial triage Triage: DevTeam Triage owner is on the dev team

Comments

@mukul-seagate11 Codacy Production
Copy link
Contributor

Codacy detected an issue:

Message: subprocess call with shell=True identified, security issue.

Currently on:
@rkothiya rkothiya added the codacy label Jul 4, 2022
@rkothiya rkothiya self-assigned this Jul 4, 2022
@cortx-admin Board Genius Sync
Copy link

For the convenience of the Seagate development team, this issue has been mirrored in a private Seagate Jira Server: https://jts.seagate.com/browse/CORTX-33346. Note that community members will not be able to access that Jira server but that is not a problem since all activity in that Jira mirror will be copied into this GitHub issue.

@stale
Copy link

stale bot commented Jul 10, 2022

This issue/pull request has been marked as needs attention as it has been left pending without new activity for 4 days. Tagging @nkommuri @mehjoshi @huanghua78 for appropriate assignment. Sorry for the delay & Thank you for contributing to CORTX. We will get back to you as soon as possible.

@r-wambui r-wambui added Triage: DevTeam Triage owner is on the dev team Status: L1 Triage Initial triage labels Jul 25, 2022
@stale stale bot removed the needs-attention label Jul 25, 2022
@stale
Copy link

stale bot commented Jul 30, 2022

This issue/pull request has been marked as needs attention as it has been left pending without new activity for 4 days. Tagging @nkommuri @mehjoshi @huanghua78 for appropriate assignment. Sorry for the delay & Thank you for contributing to CORTX. We will get back to you as soon as possible.

@cortx-admin Board Genius Sync
Copy link

Rinku Kothiya commented in Jira Server:

The following pr should address this. 
[https://github.com//pull/2032]

 

@cortx-admin Board Genius Sync
Copy link

Rinku Kothiya commented in Jira Server:

There are 2 new codacy issues after fixing the 2 issues. The new warnings is, "subprocess call - check for execution of untrusted input". According to the below issue it seems that we need to manually ignore this if we think that the input is trusted :
[https://github.com/PyCQA/bandit/issues/333]

@stale stale bot removed the needs-attention label Aug 1, 2022
@rkothiya
Copy link
Contributor

rkothiya commented Aug 2, 2022

The pr has been merged.

@rkothiya rkothiya closed this as completed Aug 2, 2022
@cortx-admin Board Genius Sync
Copy link

Rinku Kothiya commented in Jira Server:

set shell=False in the sub process module.

@cortx-admin Board Genius Sync
Copy link

Rinku Kothiya commented in Jira Server:

Patch was reviewed and merged.

@cortx-admin Board Genius Sync
Copy link

Rinku Kothiya commented in Jira Server:

We no longer see the critical warning.

The newly generated low severity warning which was supposed to be manually verified and ignored has been approved for ignoring as commented in pull request and has been ignored and updated in the table. 

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@rkothiya rkothiya

Labels
codacy Status: L1 Triage Initial triage Triage: DevTeam Triage owner is on the dev team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@r-wambui @rkothiya @mukul-seagate11 @cortx-admin