Merge pull request #3688 from orbisai0security/fix-fix-shell-injection-subprocess-call

keith-hall · web-flow · commit a36b02d90f18 · 2026-04-12T16:04:47.000+03:00
fix: sanitize subprocess call in generate_snapshots.py
diff --git a/tests/snapshots/generate_snapshots.py b/tests/snapshots/generate_snapshots.py
@@ -4,6 +4,7 @@
 import subprocess
 import pathlib
 import shutil
+from typing import Iterable
 
 
 def generate_snapshots():
@@ -19,22 +20,23 @@ def generate_snapshots():
 
 
 def generate_style_snapshot(style):
-    generate_snapshot(style.replace(",", "_"), "--style={}".format(style))
+    generate_snapshot(style.replace(",", "_"), ["--style={}".format(style)])
 
 
-def generate_snapshot(name, arguments):
-    command = "cargo run -- --paging=never --color=never --decorations=always "
-    command += "{args} sample.rs > output/{name}.snapshot.txt".format(
-        name=name,
-        args=arguments
-    )
+def generate_snapshot(name: str, arguments: Iterable[str]):
+    output_file = "output/{name}.snapshot.txt".format(name=name)
+    command = [
+        "cargo", "run", "--", "--paging=never", "--color=never",
+        "--decorations=always", *arguments, "sample.rs"
+    ]
     print("generating snapshot for {}".format(name))
-    subprocess.call(command, shell=True)
+    with open(output_file, "w") as f:
+        subprocess.call(command, stdout=f)
 
 
 def build_bat():
     print("building bat")
-    subprocess.call("cargo build", cwd="../..", shell=True)
+    subprocess.call(["cargo", "build"], cwd="../..")
 
 
 def prepare_output_dir():
@@ -49,7 +51,7 @@ def modify_sample_file():
 
 def undo_sample_file_modification():
     print("undoing sample.rs modifications")
-    subprocess.call("git checkout -- sample.rs", shell=True)
+    subprocess.call(["git", "checkout", "--", "sample.rs"])
 
 
 build_bat()
