popen
call with shell equals True
BAN-B602335 current_path = current_path.replace("/", f"{os.sep}")
336 if os.path.isdir(current_path):
337 print(f"Running: cd {current_path} && {command} ".replace("\'",""))
338 subprocess.Popen(f"cd {current_path} && {command} ".replace("\'",""), shell=True)339 elif os.path.isfile(current_path):
340 print(f"Running: {command} {current_path}".replace("\'",""))
341 subprocess.Popen(f"{command} {current_path}".replace("\'",""), shell=True)
347 current_path = current_path.replace("/", f"{os.sep}")
348 if os.path.isdir(current_path):
349 print(f"Running: cd {paths[0]} && {command} ".replace("\'",""))
350 subprocess.Popen(f"cd {paths[0]} && {command} ".replace("\'",""), shell=True)351 elif os.path.isfile(current_path):
352 print(f"Running: {command} {current_path}".replace("\'",""))
353 subprocess.Popen(f"{command} {current_path}".replace("\'",""), shell=True)
338 subprocess.Popen(f"cd {current_path} && {command} ".replace("\'",""), shell=True)
339 elif os.path.isfile(current_path):
340 print(f"Running: {command} {current_path}".replace("\'",""))
341 subprocess.Popen(f"{command} {current_path}".replace("\'",""), shell=True)342
343 else: # if only a single path is specified instead of a 'list' of them
344 current_path = paths[0]
350 subprocess.Popen(f"cd {paths[0]} && {command} ".replace("\'",""), shell=True)
351 elif os.path.isfile(current_path):
352 print(f"Running: {command} {current_path}".replace("\'",""))
353 subprocess.Popen(f"{command} {current_path}".replace("\'",""), shell=True)354
355
356def _preprocess_paths(paths:str) -> str:
Using shell=True
can expose you to security risks if someone crafts input to issue different commands than the ones you intended.
Python possesses many mechanisms to invoke an external executable. However, doing so may present a security issue if appropriate care is not taken to sanitize any user-provided or variable input. Subprocess invocation using a command shell is dangerous as it is vulnerable to various shell injection attacks. It is possible for an attacker to craft inputs to issue different commands than the ones you intended, for example: removing a file.
Great care should be taken to sanitize all input in order to mitigate this risk. Calls of this type are identified by a parameter of shell=True
being given.
It is recommended to use functions that don't spawn a shell. If you must use them, use shlex.quote
to sanitize the input.
import subprocess
subprocess.Popen(cmd, shell=True) # Sensitive, shell spawned
import subprocess
subprocess.Popen(cmd)