assume shell=False for subprocess calls, fixes FPs in e.g. youtube-dl

2026-05-03 04:39:29 +02:00 · 2023-02-02 14:43:14 +01:00
parent d228cf0e7b
commit e9ebba3350
2 changed files with 4 additions and 2 deletions
--- a/python/ql/test/query-tests/Security/CWE-078-UnsafeShellCommandConstruction/src/unsafe_shell_test.py
+++ b/python/ql/test/query-tests/Security/CWE-078-UnsafeShellCommandConstruction/src/unsafe_shell_test.py
@@ -41,4 +41,6 @@ def subprocess_flag (name):
    def indirect(flag, x): 
        subprocess.run("ping " + x, shell=flag) # $result=BAD

-    indirect(True, name)
+    indirect(True, name)
+
+    subprocess.Popen("ping " + name, shell=unknownValue) # OK - shell assumed to be False