Merge pull request #13782 from jorgectf/jorgectf/shlex-quote

Python: Add `shlex.quote` as `py/shell-command-constructed-from-input` sanitizer

python/ql/test/query-tests/Security/CWE-078-UnsafeShellCommandConstruction/src/unsafe_shell_test.py

@@ -46,4 +46,8 @@ def subprocess_flag (name):
     subprocess.Popen("ping " + name, shell=unknownValue) # OK - shell assumed to be False
 
 def intentional(command): 
-    os.system("fish -ic " + command) # $result=OK - intentional
+    os.system("fish -ic " + command) # $result=OK - intentional
+
+import shlex
+def unsafe_shell_sanitized(name): 
+    os.system("ping " + shlex.quote(name)) # $result=OK - sanitized