harden: reject shell=True in run_command#3132
Merged
Merged
Conversation
run_command() forwarded shell= straight to subprocess.run, so a caller passing shell=True would invoke a shell. Reject shell=True with ValueError (keeping the parameter for signature compatibility) and drop shell= from both subprocess.run calls. Enable ruff S602/S604/S605 to flag any future shell=True reintroduction, annotate the one intentional workflow shell sink with # noqa: S602, and document the shell-step execution risk in workflows/PUBLISHING.md.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens the command-execution utility surface by preventing run_command() from ever invoking a shell, and adds linting + documentation guardrails to keep that posture intact going forward.
Changes:
- Update
run_command()to rejectshell=Truewith aValueErrorwhile preserving the keyword parameter for compatibility. - Enable Ruff security rules (S602/S604/S605) and explicitly annotate the one intentional
shell=Trueusage in the workflowShellStep. - Add targeted test coverage and document the security implications of workflow shell steps.
Show a summary per file
| File | Description |
|---|---|
src/specify_cli/_utils.py |
Rejects shell=True in run_command() and removes forwarding of shell into subprocess.run. |
tests/test_utils.py |
Adds regression test ensuring shell kw remains present/defaults False, and shell=True raises ValueError. |
pyproject.toml |
Enables Ruff security rules to prevent reintroducing shell execution without explicit acknowledgement. |
src/specify_cli/workflows/steps/shell/__init__.py |
Adds an explicit # noqa on the intentional shell execution sink (ShellStep). |
workflows/PUBLISHING.md |
Documents that workflow shell steps are arbitrary code execution and provides review guidance before install. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 5/5 changed files
- Comments generated: 0
Collaborator
|
Thank you! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Part of splitting #2442 into smaller, dedicated PRs. Re-derived against current
main(the #2442 branch is ~20 commits behind).What
run_command()now rejectsshell=TruewithValueErrorinstead of forwarding it tosubprocess.run. Theshellparameter is kept (defaultFalse) for signature / keyword-caller compatibility.S602/S604/S605so any futureshell=True(oros.system/popen) must be acknowledged with an explicit# noqa.ShellStep) with# noqa: S602.workflows/PUBLISHING.md.Why
run_command(shell=True)would run its argv through a shell (word-splitting, globbing, injection surface). No call site needs that mode; failing loudly prevents a future caller from silently enabling it.Validation
tests/test_utils.py::test_run_command_rejects_shell_execution_compatiblypasses.ruff check --select S602,S604,S605 src tests/test_utils.pyis clean.Independent of the other split PRs.