Prevent shell injection by disabling shell invocation in subprocess.

See: <https://stackoverflow.com/questions/52019920/python3-sanitizing-user-input-passed-to-shell-as-parameter> for more information. Signed-off-by: Munyoki Kilyungi <me@bonfacemunyoki.com>
author: Munyoki Kilyungi 2024-02-26 22:04:36 +0300
committer: BonfaceKilz 2024-03-26 10:01:13 +0300
commit: d45656c53fadcfb774ebc1e35b4d084202ec4ff7 (patch)
tree: 3b461464116e36cc19b32ae157599c0ae81b30dc /gn2/wqflask
parent: 0a7a63daafb741ac79d3f6a4bb733e854bc42509 (diff)
download: genenetwork2-d45656c53fadcfb774ebc1e35b4d084202ec4ff7.tar.gz
1 files changed, 1 insertions, 2 deletions
diff --git a/gn2/wqflask/edit.py b/gn2/wqflask/edit.py
index a3e684cf..7abba0b5 100644
--- a/gn2/wqflask/edit.py
+++ b/gn2/wqflask/edit.py
@@ -27,8 +27,7 @@ def save_dataset_metadata(
     @curry(2)
     def __run_cmd(cmd, status_code):
         __result = subprocess.run(
-            cmd.split(" "), shell=True,
-            capture_output=True
+            cmd, capture_output=True
         )
         if __result.stderr or status_code != 0:
             return Left({
author	Munyoki Kilyungi	2024-02-26 22:04:36 +0300
committer	BonfaceKilz	2024-03-26 10:01:13 +0300
commit	d45656c53fadcfb774ebc1e35b4d084202ec4ff7 (patch)
tree	3b461464116e36cc19b32ae157599c0ae81b30dc /gn2/wqflask
parent	0a7a63daafb741ac79d3f6a4bb733e854bc42509 (diff)
download	genenetwork2-d45656c53fadcfb774ebc1e35b4d084202ec4ff7.tar.gz