Sanitized input for subprocess with shell=True in python
I have python script, which has code.
...
...
p = subprocess.Popen(cmd,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
shell=True)
output, error = p.communicate()
...
...
When I run bandit
it gives error.
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
Severity: High Confidence: High
Location: mypackage/myfile.py:123
123 stderr=subprocess.PIPE,
124 shell=True)
125 output, error = p.communicate()
Then I do some google, and found that, I have to sanitized my input and with shlex.split
and shlex.quote
I can sanitize it.
I changed my code to.
...
...
p = subprocess.Popen(shlex.split(shlex.quote(cmd)),
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
shell=True)
output, error = p.communicate()
...
...
But still I get same error, is there any way to remove this error when run bandit -r mypackage/myfile.py