[
https://issues.apache.org/jira/browse/AMBARI-25942?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17748927#comment-17748927
]
Lingaraj Gowdar commented on AMBARI-25942:
------------------------------------------
This was part of Python2 and initially it may not have been considered and this
discussion came up in the PR -
[https://github.com/apache/ambari/pull/3681#discussion_r1192767128]
Hence I created this Jira and PR.
> [Security Risk] Avoid using shell=true usage wherever subprocess module is
> used
> -------------------------------------------------------------------------------
>
> Key: AMBARI-25942
> URL: https://issues.apache.org/jira/browse/AMBARI-25942
> Project: Ambari
> Issue Type: Bug
> Affects Versions: 2.7.7
> Reporter: Lingaraj Gowdar
> Priority: Major
> Labels: Ambari, python, security-issue, subprocess
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Subprocess module allows us to execute command on the shell but usage of
> shell=true poses a security risk where user inputs with "rm -rf" can cause
> terrible things.
> To avoid shell-injection vulnerabilities, subprocess can be used without
> shell=true, by modifying the way input is passed.
> Some of the examples can be found like -
> [https://security.openstack.org/guidelines/dg_avoid-shell-true.html]
>
> This Jira is to track the related changes. Please feel free to comment /
> discuss.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
