Sanitized input for subprocess with shell=True in python

asked 2016-05-31 12:46:37 -0500

lafada gravatar image

I have python script, which has code.

...
...
p = subprocess.Popen(cmd,
                     stdout=subprocess.PIPE,
                     stderr=subprocess.PIPE,
                     shell=True)
output, error = p.communicate()
...
...

When I run bandit it gives error.

>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
   Severity: High   Confidence: High
   Location: mypackage/myfile.py:123
123                                          stderr=subprocess.PIPE,
124                                          shell=True)
125                     output, error = p.communicate()

Then I do some google, and found that, I have to sanitized my input and with shlex.split and shlex.quote I can sanitize it.

I changed my code to.

...
...
p = subprocess.Popen(shlex.split(shlex.quote(cmd)),
                     stdout=subprocess.PIPE,
                     stderr=subprocess.PIPE,
                     shell=True)
output, error = p.communicate()
...
...

But still I get same error, is there any way to remove this error when run bandit -r mypackage/myfile.py

edit retag flag offensive close merge delete
add a comment