OpenStack Dashboard (Horizon)

subprocess with shell=True

Bug #1908848 reported by hanchl on 2020-12-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard (Horizon)	Invalid	Undecided	Unassigned

Bug Description

Horizon uses subprocess with shell=True in openstack_dashboard\management\commands\extract_messages.py and openstack_dashboard\management\commands\update_catalog.py in function handle

Handle contains command with a double quote, either accidentally or maliciously, the command will be executed with shell=True. Bandit think it's insecure. For more information on subprocess, shell=True and command injection see: https://docs.python.org/2/library/subprocess.html#frequently-used-arguments

Revision history for this message

Akihiro Motoki (amotoki) wrote on 2021-02-26:

This looks like a generic warning on shell=True for subprocess and there is no practical suggestion.
shell=True is used in udpate_catalog and extract_catalog but they need to be executed on a shell. We cannot run these commands without shell=True. These commands are used only for maintenance by operators and there is no chance to inject malicious commands.

Changed in horizon:
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.