Lingaraj Gowdar created AMBARI-25942:
----------------------------------------
Summary: [Security Risk] Avoid using shell=true usage wherever
subprocess module is used
Key: AMBARI-25942
URL: https://issues.apache.org/jira/browse/AMBARI-25942
Project: Ambari
Issue Type: Bug
Affects Versions: 2.7.7
Reporter: Lingaraj Gowdar
Subprocess module allows us to execute command on the shell but usage of
shell=true poses a security risk where user inputs with "rm -rf" can cause
terrible things.
To avoid shell-injection vulnerabilities, subprocess can be used without
shell=true, by modifying the way input is passed.
Some of the examples can be found like -
[https://security.openstack.org/guidelines/dg_avoid-shell-true.html]
This Jira is to track the related changes. Please feel free to comment /
discuss.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
