This looks like a generic warning on shell=True for subprocess and there is no
practical suggestion.
shell=True is used in udpate_catalog and extract_catalog but they need to be
executed on a shell. We cannot run these commands without shell=True. These
commands are used only for maintenance by operators and there is no chance to
inject malicious commands.
** Changed in: horizon
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1908848
Title:
subprocess with shell=True
Status in OpenStack Dashboard (Horizon):
Invalid
Bug description:
Horizon uses subprocess with shell=True in
openstack_dashboard\management\commands\extract_messages.py and
openstack_dashboard\management\commands\update_catalog.py in function
handle
Handle contains command with a double quote, either accidentally or
maliciously, the command will be executed with shell=True. Bandit
think it's insecure. For more information on subprocess, shell=True
and command injection see:
https://docs.python.org/2/library/subprocess.html#frequently-used-
arguments
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1908848/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
