subprocess with shell=True

Bug #1908848 reported by hanchl
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Invalid
Undecided
Unassigned

Bug Description

Horizon uses subprocess with shell=True in openstack_dashboard\management\commands\extract_messages.py and openstack_dashboard\management\commands\update_catalog.py in function handle

Handle contains command with a double quote, either accidentally or maliciously, the command will be executed with shell=True. Bandit think it's insecure. For more information on subprocess, shell=True and command injection see: https://docs.python.org/2/library/subprocess.html#frequently-used-arguments

Revision history for this message
Akihiro Motoki (amotoki) wrote :

This looks like a generic warning on shell=True for subprocess and there is no practical suggestion.
shell=True is used in udpate_catalog and extract_catalog but they need to be executed on a shell. We cannot run these commands without shell=True. These commands are used only for maintenance by operators and there is no chance to inject malicious commands.

Changed in horizon:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.