Open bosd opened 1 year ago
Just tested this one on python3.10 on windows 10. Working ok.
Can you please explain how is this "safer" ?
Sorry, I cannot. I'm not very knowledgable on the subject. Basically this pr is to silence a "critical" codefactor.io complaint. I'm utiliting the suggested fix from codefactor.io.
I'll paste here the complaint and explanation.
This rule looks for the spawning of a subprocess using a command shell. This type of subprocess invocation is dangerous as it is vulnerable to various shell injection attacks. Great care should be taken to sanitize all input in order to mitigate this risk. Calls of this type are identified by the use of certain commands which are known to use shells.
Example of insecure code:
import os
os.system('/bin/echo suspicious code')
The subprocess module provides more powerful facilities for spawning new processes and retrieving their results; using that module is preferable to using this function.
Example of secure code:
import subprocess
subprocess.call('/bin/echo suspicious code', shell=False)
Further Reading
The Python Standard Library - subprocess - Frequently Used Arguments
@Harvie Can you merge this?
Ping @Harvie
Ping @Harvie
Yeah, i am still not sure whether this is actualy making something safer or just removing actual useful feature, because some automated tool thinks it might be unsafe without understanding context...
Did'nt notice any feature removal.. if so, we an always revert.
An quick attempt to silence B605: start_process_with_a_shell.