Skip to content

Security: Remove shell=True to prevent command injection (Fix #261) #293

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
GaneshPatil7517 wants to merge 2 commits into
base: dev
Choose a base branch
from
Open

Security: Remove shell=True to prevent command injection (Fix #261) #293

GaneshPatil7517 wants to merge 2 commits into from
+125 −16

Conversation

@GaneshPatil7517
Copy link

@GaneshPatil7517 GaneshPatil7517 commented Feb 12, 2026
edited
Loading

@pradeeban
Fixes critical command injection vulnerability in FRI server endpoints (/contribute and /library).

Root Cause
User input was executed via subprocess.check_output() with shell=True, allowing attackers to inject arbitrary shell commands via malformed JSON payloads (e.g., {"branch": "main & rm -rf /"}).

Fix

  • Removed shell=True from subprocess calls on Windows

  • Switched to subprocess.run() with check=True, capture_output=True, text=True for safe argument handling

  • Added input validation function (validate_input()) using regex pattern ^[a-zA-Z0-9_-/. ]+$

  • All user-supplied parameters (study, path, auth, branch, title, desc, filename) are now validated before execution

  • Added proper error handling for ValueError and CalledProcessError

Changes

  • /contribute endpoint: Removed shell=True, added input validation for 6 parameters

  • /library endpoint: Removed shell=True, added input validation for 2 parameters

Impact

  • Prevents remote code execution (RCE)
  • No API behavior changes for legitimate requests
  • Invalid input returns HTTP 400 with descriptive error message

Testing

  • Endpoints remain functional for valid alphanumeric inputs
  • Injection attempts (;, &, |, `, $, >, <) are rejected with 400 error

#261

Copilot AI review requested due to automatic review settings February 12, 2026 12:02
Copilot AI reviewed Feb 12, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR mitigates a command injection vulnerability in the FRI Flask server by removing shell=True usage and adding input validation for user-supplied values used in subprocess calls for /contribute and /library.

Changes:

  • Added a regex-based validate_input() helper and applied it to request parameters in /contribute and /library.
  • Switched Windows subprocess execution to subprocess.run(..., check=True, capture_output=True, text=True) (no shell=True).
  • Added explicit handling for ValueError and CalledProcessError in both endpoints.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@GaneshPatil7517
Address review comments: improve validation and Windows compatibility
3bc84bc 
- Add validate_filename() for strict filename validation (no path traversal)
- Add validate_text_field() for PR title/body (allow punctuation, check length)
- Add get_error_output() to extract error details from CalledProcessError
- Use cmd.exe /c to invoke .bat scripts on Windows for shell=False compatibility
- Add required parameter to validate_input() to reject None for required fields
- Normalize None to empty string for optional fields
- Include captured output in error responses for better diagnostics
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@GaneshPatil7517