From d45656c53fadcfb774ebc1e35b4d084202ec4ff7 Mon Sep 17 00:00:00 2001
From: Munyoki Kilyungi
Date: Mon, 26 Feb 2024 22:04:36 +0300
Subject: Prevent shell injection by disabling shell invocation in subprocess.

See:
   <https://stackoverflow.com/questions/52019920/python3-sanitizing-user-input-passed-to-shell-as-parameter>
for more information.

Signed-off-by: Munyoki Kilyungi <me@bonfacemunyoki.com>
---
 gn2/wqflask/edit.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/gn2/wqflask/edit.py b/gn2/wqflask/edit.py
index a3e684cf..7abba0b5 100644
--- a/gn2/wqflask/edit.py
+++ b/gn2/wqflask/edit.py
@@ -27,8 +27,7 @@ def save_dataset_metadata(
     @curry(2)
     def __run_cmd(cmd, status_code):
         __result = subprocess.run(
-            cmd.split(" "), shell=True,
-            capture_output=True
+            cmd, capture_output=True
         )
         if __result.stderr or status_code != 0:
             return Left({
-- 
cgit 1.4.1